[cabfpub] Continuing the discussion on CAA

Jeremy Rowley jeremy.rowley at digicert.com
Tue Oct 25 23:26:59 UTC 2016

Why not change how CAA so it works? Make it a base-domain check rather than a 
hierarchy. Or have the base domain list all of the approved CAs? I realize 
this will require a bis, but perhaps if the CAA record contained a "master 
list" with a limit on who can approve at the base domain then that would work. 
I was thinking of a system where you could specify the labelset property tag 
applicable to the permission:

CAA 0 lbl=0 iodef "http://iodef.example.com/"

Where lbl is optional and defines the scope of the permission. This does put 
the burden on the base domain holder to specify the acceptable root CAs, but 
that burden is essentially already there with the permitted validation 


-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Tuesday, October 25, 2016 2:57 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com>; public at cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA

On 24/10/16 17:26, Jeremy Rowley wrote:
> 1)  CAA is currently an issuance check rather than a validation check.
> As mentioned during the face-to-face, this is a hurdle in fast
> issuance of certificates. We liked Ryan's proposal of simply doing a
> refresh every X days as a solution. By moving it to a validation
> check, CAs can have fast issuance times without CAA holding up the
> process after the initial validation is complete.

I think this is definitely worth exploring, and I am confident we can work out 
some reasonable parameters. However, I wonder if, if we are not checking CAA 
at every issuance, it would be wise for CAs to be required to implement a "no 
more certs, please" procedure where the customer can tell the CA to throw away 
all cached validation information, including the CAA check results. This could 
be automated in circumstances where the customer has a login.

> 2) If a customer has a single base domain and needs to issue 6 million
> certs an hour for the various sub domains, then there isn't a way for
> the CA to simply accept the base domain's CAA record.

I'm not sure how to address this without changing the way CAA works.
AIUI it's specced to work from the requested domain down to the root. So I'm 
not sure I'd say this problem is "easily solved". Does PHB have a comment?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161025/f9cdc6d7/attachment-0001.p7s>

More information about the Public mailing list