[cabfpub] Continuing the discussion on CAA

Jeremy Rowley jeremy.rowley at digicert.com
Mon Oct 24 15:40:24 UTC 2016

Has there been an issuance to a third party that CAA would have prevented?
Since there's no way to ensure compliance with a hard-fail CAA requirement,
will CAA do anything useful? We don't mind CAA as a validation check, but
I'm curious if anyone knows of an issued cert that would have been rejected
if CAA were fully implemented.

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
Markham via Public
Sent: Monday, October 24, 2016 5:38 AM
To: Eneli Kirme <Eneli.Kirme at sk.ee>; public at cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA

Hi Eneli,

On 24/10/16 12:08, Eneli Kirme via Public wrote:
> But consider this scenario: a hypothetical CoolCA approaching a DNS 
> service provider, be it an ISP, domain registrar or some kind of 
> hosting provider, with a proposal to include a CAA record pointing to 
> the CoolCA into their default configuration.

I would expect the DNS service provider to refuse, because otherwise they'll
have a lot of angry customers ringing them up, saying "my CA tells me I
can't have a certificate, and it's your fault".

However, to address this, would it be reasonable to add a clause in the
CAA-related change which said something like: "CAs MUST NOT add (or cause or
request to be added) CAA records to the DNS without the explicit permission
of the domain owner."

Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161024/a9c721fe/attachment-0001.p7s>

More information about the Public mailing list