[cabfpub] Continuing the discussion on CAA
jeremy.rowley at digicert.com
Tue Oct 25 23:26:59 UTC 2016
Why not change how CAA so it works? Make it a base-domain check rather than a
hierarchy. Or have the base domain list all of the approved CAs? I realize
this will require a bis, but perhaps if the CAA record contained a "master
list" with a limit on who can approve at the base domain then that would work.
I was thinking of a system where you could specify the labelset property tag
applicable to the permission:
CAA 0 lbl=0 iodef "http://iodef.example.com/"
Where lbl is optional and defines the scope of the permission. This does put
the burden on the base domain holder to specify the acceptable root CAs, but
that burden is essentially already there with the permitted validation
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Tuesday, October 25, 2016 2:57 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com>; public at cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA
On 24/10/16 17:26, Jeremy Rowley wrote:
> 1) CAA is currently an issuance check rather than a validation check.
> As mentioned during the face-to-face, this is a hurdle in fast
> issuance of certificates. We liked Ryan's proposal of simply doing a
> refresh every X days as a solution. By moving it to a validation
> check, CAs can have fast issuance times without CAA holding up the
> process after the initial validation is complete.
I think this is definitely worth exploring, and I am confident we can work out
some reasonable parameters. However, I wonder if, if we are not checking CAA
at every issuance, it would be wise for CAs to be required to implement a "no
more certs, please" procedure where the customer can tell the CA to throw away
all cached validation information, including the CAA check results. This could
be automated in circumstances where the customer has a login.
> 2) If a customer has a single base domain and needs to issue 6 million
> certs an hour for the various sub domains, then there isn't a way for
> the CA to simply accept the base domain's CAA record.
I'm not sure how to address this without changing the way CAA works.
AIUI it's specced to work from the requested domain down to the root. So I'm
not sure I'd say this problem is "easily solved". Does PHB have a comment?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4964 bytes
Desc: not available
More information about the Public