[cabfpub] EXTERNAL: Re: Continuing the discussion on CAA

Mehner, Carl Carl.Mehner at usaa.com
Mon Oct 24 18:24:14 UTC 2016

> On 24/10/16 16:40, Jeremy Rowley via Public wrote:
> > Has there been an issuance to a third party that CAA would have
> prevented?

We have an internal policy that describes which CAs are allowed for use, there have been cases where other teams or entities have issued a certificate that did not fit within our defined policy. Had CAA enforcement been enabled and the CAs set to hard-fail mode, what we see as a "semantic mis-issuance" [1] would not have occurred.

> 2) If a customer has a single base domain and needs to issue 6 million certs 
> an hour for the various sub domains, then there isn't a way for the CA to 
> simply accept the base domain's CAA record.
I think that hanging on to responses for a short amount of time would be good for multiple issuances within time period 'X' like in 

However, as it says in RFC6844:
CAA records MAY be used by Certificate Evaluators as a possible
   indicator of a security policy violation.  Such use SHOULD take
   account of the possibility that published CAA records changed between
   the time a certificate was issued and the time at which the
   certificate was observed by the Certificate Evaluator.

Therefore, when a cached CAA response is 're-checked' and the status has changed, that must not in and of itself constitute an event worthy of revocation under of the BRs.

[1] https://tools.ietf.org/html/draft-ietf-trans-threat-analysis-10#section-3

More information about the Public mailing list