[cabfpub] Continuing the discussion on CAA

Jeremy Rowley jeremy.rowley at digicert.com
Wed Oct 26 02:54:40 UTC 2016

Although CAA was designed around DNS, the actual record isn’t relevant DNS information. Since CAA is a policy decision that is being included in DNS as a convenient means of dissemination, any suitable replacement should be just as good if it has the same reliability of conveying info as the DNS records. Therefore, the structure of CAA doesn’t necessarily need to reflect the structure of DNS.  What if the primary label just contained all the CAs authorized for the domain? A simpler way to do this would simply have the base domain indicate whether the policy applies to all other domains. This is already permitted in CAA with wildcards so simply adding a tag that specifies “apply to all domains” would be easier (Indeed – the spec is designed for this). How about PHB adds a tag of “base-approval=1” as a flag to indicate all superior labels are considered approved IF the flag is set. If the flag is not set, validation would have to occur at each node. 






From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Tuesday, October 25, 2016 6:49 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: Gervase Markham <gerv at mozilla.org>; public at cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA




On Tue, Oct 25, 2016 at 4:26 PM, Jeremy Rowley via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

Why not change how CAA so it works? Make it a base-domain check rather than a
hierarchy. Or have the base domain list all of the approved CAs? I realize
this will require a bis, but perhaps if the CAA record contained a "master
list" with a limit on who can approve at the base domain then that would work.
I was thinking of a system where you could specify the labelset property tag
applicable to the permission:

CAA 0 lbl=0 iodef "http://iodef.example.com/"

Where lbl is optional and defines the scope of the permission. This does put
the burden on the base domain holder to specify the acceptable root CAs, but
that burden is essentially already there with the permitted validation


The choice of how CAA was designed was to reflect how DNS works, and the DNS hierarchy. As proposed, this would allow, for example, the operators of .com, .cn, or .ru to restrict which CAs can be used within their countries - which, while perhaps possible today, is certainly not an intended use case for CAA. Unless, of course, you're suggesting it requires multiple labels - but now you're into the problem of determining scope of authority, which is an unsolved problem, if you're not explicitly working from the top down.


I'm not sure about your proposed syntax and how it maps into how CAA is defined, but that sounds like an even more substantive update that would necessitate fully replacing/obsoleting the existing CAA record.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161026/e350c6c6/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161026/e350c6c6/attachment-0001.p7s>

More information about the Public mailing list