[cabfpub] CAA concerns (and potential solutions)

Ryan Sleevi sleevi at google.com
Fri Oct 28 16:41:17 UTC 2016

On Thu, Oct 27, 2016 at 8:33 PM, Peter Bowen via Public <public at cabforum.org
> wrote:

> I propose that this be mitigated by adoption a two prong rule for CAA:
> 1) By default CAs must treat the presence of CAA records which do not
> include them as “hard fail” and not issue
> 2) However, if the CA has issued an Enterprise EV RA certificate
> containing a valid authorization domain, logged it in at least <n> public
> CT logs, the CA may treat CAA for those FQDNs and Wildcard DNs matching the
> authorization domain as “soft fail” and issue even if the CAA record
> specifies otherwise.
> The CA must internally log any certs that are issued after a “soft fail”
> and report such via any iodef in the CAA record.

Your last sentence regarding iodef suggests you believe this isn't already

> The second concern is around issuance latency.  If a certificate has
> dozens of subject alternative names or a CA is issuing massive number of
> certificates the full CAA checking algorithm can be slow,

I'm sorry, but I'm going to specifically object to this statement. It's not
been shown to be slow - merely, some members have postulated that it
"might" be slow, without showing concrete evidence or data to the contrary,
and in the face of experience otherwise.

If members want to support this line of inquiry, data needs to be provided.

> 1) a new parameter tag for issue and issuewild properties:
> “skipsubdomaincheck" which can be “true” or “false”.  The default value is
> “false”.  If true, it indicates that a CA may skip checks for more specific
> subdomains.
> 2) extending the “domain” definition to be (label *("." label)) / “*”;
> a “*” is an explicit declaration that there is no CA restriction (the opposite
> of an empty domain name)
> 3) CAs may choose to check starting at the TLD and working their way down
> the tree of labels rather than starting with all labels and working towards
> the root.  If they choose this option they must use the most specific CAA
> record found unless they find a record with skipsubdomaincheck=true.  If
> they find such a record, they may use that record and not check any further
> labels.

I am not supportive of any of these changes, nor is the CA/Browser Forum
the venue for them.

As has been pointed out elsewhere on the thread, the CAA spec is
intentionally rather explicit in prohibiting your #3 with respect to
precedence, even if they can be queried in that order (or in parallel).
Considering that changing the tokenization rules has concrete impact on
applications and CAA implementations, I do not believe your #2 is at all
compatible with deployments or implementations, and is thus unlikely to be
adopted (and certainly, something to object to)

> This should allow customers who have a need for massive issuance rates of
> unique hostnames to enter a CAA record at the common suffix label allowing
> the CA to have a near 100% cache hit rate on DNS look ups.

This seems a premature optimization based on unfounded concerns from those
without implementation experience. As such, I have trouble weighting this
request at all as reasonable.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161028/fdc33388/attachment-0003.html>

More information about the Public mailing list