[cabfpub] Continuing the discussion on CAA

Jeremy Rowley jeremy.rowley at digicert.com
Wed Oct 26 17:27:09 UTC 2016

Thanks Ryan. For some reason “Reply All” is dropping the public list.


From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Wednesday, October 26, 2016 11:20 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: Eneli Kirme <Eneli.Kirme at sk.ee>; CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Continuing the discussion on CAA


Reposting to the public list since, for some reason, Jeremy's reply-all dropped it.


On Wed, Oct 26, 2016 at 8:54 AM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:

Plus, DNS records aren’t exactly hard to change. Considering the general lack of support for CAA, getting a CAA record in the DNS is a lot more difficult than changing the record once established.


From: Public [mailto:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> ] On Behalf Of Ryan Sleevi via Public
Sent: Wednesday, October 26, 2016 9:52 AM
To: Eneli Kirme <Eneli.Kirme at sk.ee <mailto:Eneli.Kirme at sk.ee> >
Cc: CABFPub <public at cabforum.org <mailto:public at cabforum.org> >
Subject: Re: [cabfpub] Continuing the discussion on CAA


On Oct 25, 2016 10:38 PM, "Eneli Kirme via Public" <public at cabforum.org <mailto:public at cabforum.org> > wrote:

> Hi, 
> In practice CAA record are subject to be manipulated by UI provided by DNS records management. We have no way to control it and once there is a “default” listed for customer convenience then the damage for fair market has been placed. Without actually much thinking customers make a business decision of one area in the context of another without much thinking about it.
> Can we from CABForum somehow protect against such “defaults”?

This has been discussed rather at length over the past two years. In Rick's slides from past meetings, you can find the discussion of differences between Kirk Hall and I on this, with Gervase supporting the position I put forward: No, we cannot.

I appreciate the concern, but I believe it is largely hypothetical, I believe that as a concern it prevents real security without any demonstrable risk, and should the situation ever arise in reality, we can actually evaluate it rather than the hypothetical.

But I do want to highlight that this argument has been used against CAA since 2011, as the archives show, was previously made by Kirk Hall, and otherwise has prevented progress by raising the spectre of an issue without any real evidence.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161026/0db2a754/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161026/0db2a754/attachment-0001.p7s>

More information about the Public mailing list