[cabfpub] Continuing the discussion on CAA

Gervase Markham gerv at mozilla.org
Tue Oct 25 08:57:04 UTC 2016

On 24/10/16 17:26, Jeremy Rowley wrote:
> 1)  CAA is currently an issuance check rather than a validation check. As 
> mentioned during the face-to-face, this is a hurdle in fast issuance of 
> certificates. We liked Ryan's proposal of simply doing a refresh every X days 
> as a solution. By moving it to a validation check, CAs can have fast issuance 
> times without CAA holding up the process after the initial validation is 
> complete.

I think this is definitely worth exploring, and I am confident we can
work out some reasonable parameters. However, I wonder if, if we are not
checking CAA at every issuance, it would be wise for CAs to be required
to implement a "no more certs, please" procedure where the customer can
tell the CA to throw away all cached validation information, including
the CAA check results. This could be automated in circumstances where
the customer has a login.

> 2) If a customer has a single base domain and needs to issue 6 million certs 
> an hour for the various sub domains, then there isn't a way for the CA to 
> simply accept the base domain's CAA record.

I'm not sure how to address this without changing the way CAA works.
AIUI it's specced to work from the requested domain down to the root. So
I'm not sure I'd say this problem is "easily solved". Does PHB have a


More information about the Public mailing list