[cabfpub] Continuing the discussion on CAA

Ryan Sleevi sleevi at google.com
Wed Oct 26 00:49:26 UTC 2016

On Tue, Oct 25, 2016 at 4:26 PM, Jeremy Rowley via Public <
public at cabforum.org> wrote:

> Why not change how CAA so it works? Make it a base-domain check rather
> than a
> hierarchy. Or have the base domain list all of the approved CAs? I realize
> this will require a bis, but perhaps if the CAA record contained a "master
> list" with a limit on who can approve at the base domain then that would
> work.
> I was thinking of a system where you could specify the labelset property
> tag
> applicable to the permission:
> CAA 0 lbl=0 iodef "http://iodef.example.com/"
> Where lbl is optional and defines the scope of the permission. This does
> put
> the burden on the base domain holder to specify the acceptable root CAs,
> but
> that burden is essentially already there with the permitted validation
> processes.

The choice of how CAA was designed was to reflect how DNS works, and the
DNS hierarchy. As proposed, this would allow, for example, the operators of
.com, .cn, or .ru to restrict which CAs can be used within their countries
- which, while perhaps possible today, is certainly not an intended use
case for CAA. Unless, of course, you're suggesting it requires multiple
labels - but now you're into the problem of determining scope of authority,
which is an unsolved problem, if you're not explicitly working from the top

I'm not sure about your proposed syntax and how it maps into how CAA is
defined, but that sounds like an even more substantive update that would
necessitate fully replacing/obsoleting the existing CAA record.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161025/b16d5190/attachment-0003.html>

More information about the Public mailing list