[cabfpub] CAA concerns (and potential solutions)

Gervase Markham gerv at mozilla.org
Fri Oct 28 10:50:05 UTC 2016

Hi Peter,

On 28/10/16 04:33, Peter Bowen via Public wrote:
> I propose that this be mitigated by adoption a two prong rule for CAA:
> 1) By default CAs must treat the presence of CAA records which do not
> include them as “hard fail” and not issue
> 2) However, if the CA has issued an Enterprise EV RA certificate
> containing a valid authorization domain, logged it in at least <n>
> public CT logs, the CA may treat CAA for those FQDNs and Wildcard DNs
> matching the authorization domain as “soft fail” and issue even if the
> CAA record specifies otherwise.

I think this is a plausible solution. But if CAs are going to be allowed
to issue in contradiction to CAA, why make them check CAA in this case
at all? Would it not also resolve this, and the issue Jeremy raises
about the CA being the registrant, if CAA checks were not compulsory for
leaf certs under technically-constrained enterprise intermediates
disclosed in the way given above? What would be the downsides of that?

Would it help to mark such intermediates with a policy OID to make it
clear to the world that different rules apply to its leaf certs?

> The second concern is around issuance latency.  If a certificate has
> dozens of subject alternative names or a CA is issuing massive number of
> certificates the full CAA checking algorithm can be slow, especially if
> there are no CAA records as each label must be checked back to the root.

On that point: I suggested on the call (after the official end) that the
standards might permit (but not require) an optimisation such that it
was not required to check CAA for suffixes in the ICANN section of the
PSL. That prevents you spending your time looking up the CAA record for
".com" millions of times.

> 1) a new parameter tag for issue and issuewild properties:
> “skipsubdomaincheck" which can be “true” or “false”.  The default value
> is “false”.  If true, it indicates that a CA may skip checks for more
> specific subdomains.
> 2) extending the “domain” definition to be (label *("." label)) / “*”;
> a “*” is an explicit declaration that there is no CA restriction
> (the opposite of an empty domain name)

This second point seems to me to be orthogonal to solving the problem
you raise; can you explain why it's integral to it?

> 3) CAs may choose to check starting at the TLD and working their way
> down the tree of labels rather than starting with all labels and working
> towards the root.  If they choose this option they must use the most
> specific CAA record found unless they find a record with
> skipsubdomaincheck=true.

So to be clear: in the absence of skipsubdomaincheck=true, which we
would expect to see only on a small number of domains which have a very
large number of subdomains each, the result would be the same as the
current CAA algorithm - although perhaps calculated less efficiently.


More information about the Public mailing list