[cabfpub] Continuing the discussion on CAA
eric at konklone.com
Mon Oct 24 15:39:20 UTC 2016
On Mon, Oct 24, 2016 at 7:37 AM, Gervase Markham via Public <
public at cabforum.org> wrote:
> Hi Eneli,
> On 24/10/16 12:08, Eneli Kirme via Public wrote:
> > But consider this scenario: a hypothetical CoolCA approaching a DNS
> > service provider, be it an ISP, domain registrar or some kind of hosting
> > provider, with a proposal to include a CAA record pointing to the CoolCA
> > into their default configuration.
> I would expect the DNS service provider to refuse, because otherwise
> they'll have a lot of angry customers ringing them up, saying "my CA
> tells me I can't have a certificate, and it's your fault".
> However, to address this, would it be reasonable to add a clause in the
> CAA-related change which said something like: "CAs MUST NOT add (or
> cause or request to be added) CAA records to the DNS without the
> explicit permission of the domain owner."
Would this _only_ apply to CAs which also control DNS? I don't think that
addresses the scenario that Eneli described, where a DNS provider or ISP is
persuaded (or fooled) by an external CA into adding a CAA record on their
system for their customers.
> Public mailing list
> Public at cabforum.org
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public