[cabfpub] Continuing the discussion on CAA
Jody Cloutier
jodycl at microsoft.com
Thu Oct 27 22:48:45 UTC 2016
Correct, but remember that in this discussion Microsoft is both a Browser and a CA.
-----Original Message-----
From: Rick Andrews [mailto:Rick_Andrews at symantec.com]
Sent: Thursday, October 27, 2016 3:47 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Jody Cloutier <jodycl at microsoft.com>
Subject: RE: [cabfpub] Continuing the discussion on CAA
Jody, did you mean to say "it does not issue _certs_ to the general public"?
I think the answer is: if those certs are in scope for the BRs, then any
rules in the BRs about CAA take effect.
Currently, the only rule in the BRs concerning CAA is that the CA has to
publish their CAA policy in their CP/CPS. It says nothing about what
browsers have to do ;^)
-Rick
-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Jody Cloutier
via Public
Sent: Thursday, October 27, 2016 3:34 PM
To: public at cabforum.org
Cc: Jody Cloutier <jodycl at microsoft.com>
Subject: Re: [cabfpub] Continuing the discussion on CAA
Question: If a company has trusted roots, but it does not issue roots to the
general public, would it still have to check the CAA database?
-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Andrew Ayer
via Public
Sent: Tuesday, October 25, 2016 10:32 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA
On Mon, 24 Oct 2016 18:52:06 +0000
Jeremy Rowley via Public <public at cabforum.org> wrote:
> "CAA records MAY be used by Certificate Evaluators as a possible
> indicator of a security policy violation. Such use SHOULD take
> account of the possibility that published CAA records changed
> between the time a certificate was issued and the time at which the
> certificate was observed by the Certificate Evaluator."
>
> I know it says this, but I'm not sure how this would ever happen in
> practice. That seems more like the role of CT over CAA.
CT finds certificates but doesn't tell you whether a certificate was
authorized or not. A CT monitor could check CAA records and raise an alarm
if a certificate was issued by an unauthorized CA.
Regards,
Andrew
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list