[cabfpub] EXTERNAL: Re: Continuing the discussion on CAA
Carl.Mehner at usaa.com
Mon Oct 24 18:24:14 UTC 2016
> On 24/10/16 16:40, Jeremy Rowley via Public wrote:
> > Has there been an issuance to a third party that CAA would have
We have an internal policy that describes which CAs are allowed for use, there have been cases where other teams or entities have issued a certificate that did not fit within our defined policy. Had CAA enforcement been enabled and the CAs set to hard-fail mode, what we see as a "semantic mis-issuance"  would not have occurred.
> 2) If a customer has a single base domain and needs to issue 6 million certs
> an hour for the various sub domains, then there isn't a way for the CA to
> simply accept the base domain's CAA record.
I think that hanging on to responses for a short amount of time would be good for multiple issuances within time period 'X' like in
However, as it says in RFC6844:
CAA records MAY be used by Certificate Evaluators as a possible
indicator of a security policy violation. Such use SHOULD take
account of the possibility that published CAA records changed between
the time a certificate was issued and the time at which the
certificate was observed by the Certificate Evaluator.
Therefore, when a cached CAA response is 're-checked' and the status has changed, that must not in and of itself constitute an event worthy of revocation under 220.127.116.11.12 of the BRs.
More information about the Public