[cabfpub] Continuing the discussion on CAA

Ryan Sleevi sleevi at google.com
Mon Oct 24 17:50:36 UTC 2016


This has been repeatedly asked on calls, and each time Google provides
details about how it has prevented unauthorized issuance?

Can we accept CAA has worked, helped for those CAs that check, and move on?

On Mon, Oct 24, 2016 at 8:40 AM, Jeremy Rowley via Public <
public at cabforum.org> wrote:

> Has there been an issuance to a third party that CAA would have prevented?
> Since there's no way to ensure compliance with a hard-fail CAA requirement,
> will CAA do anything useful? We don't mind CAA as a validation check, but
> I'm curious if anyone knows of an issued cert that would have been rejected
> if CAA were fully implemented.
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
> Markham via Public
> Sent: Monday, October 24, 2016 5:38 AM
> To: Eneli Kirme <Eneli.Kirme at sk.ee>; public at cabforum.org
> Subject: Re: [cabfpub] Continuing the discussion on CAA
> Hi Eneli,
> On 24/10/16 12:08, Eneli Kirme via Public wrote:
> > But consider this scenario: a hypothetical CoolCA approaching a DNS
> > service provider, be it an ISP, domain registrar or some kind of
> > hosting provider, with a proposal to include a CAA record pointing to
> > the CoolCA into their default configuration.
> I would expect the DNS service provider to refuse, because otherwise
> they'll
> have a lot of angry customers ringing them up, saying "my CA tells me I
> can't have a certificate, and it's your fault".
> However, to address this, would it be reasonable to add a clause in the
> CAA-related change which said something like: "CAs MUST NOT add (or cause
> or
> request to be added) CAA records to the DNS without the explicit permission
> of the domain owner."
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161024/8c3f36c4/attachment-0003.html>

More information about the Public mailing list