[cabfpub] CAA concerns (and potential solutions)

Ryan Sleevi sleevi at google.com
Fri Oct 28 17:21:32 UTC 2016

On Fri, Oct 28, 2016 at 9:57 AM, Peter Bowen <pzb at amzn.com> wrote:
> With products like the Cavium CNN3560-NFBE-G supporting more than 30,000
> RSA signatures per second when using a 2048-bit key, I'm confident  that
> the multiple DNS lookups required by CAA will be the long pole.

And if I say I'm confident that it isn't, we're back to the same issue -
discussing feelings rather than data.

I agree that CAA, as a new element into the issuance pipeline, presents
challenges, but I'm not at all supportive of an argument that says all
improvements must be at free cost. At the core, we're trying to determine
what is a reasonable tradeoff for the benefits that a consistent
application of CAA provides. We've heard suggestions of unquantified "too
slow", without any contextualization of what is acceptable (beyond,
presumably, the current status quo of no cost), or how that practically

As an example of a past change, consider the requirement for wildcards to
be checked against public suffices. The fact that you can create an
entirely inefficient lookup of the PSL does not mean you can't have a
nanosecond lookup of that. Yet we didn't see members discussing
microbenchmarks of this, and the implication to wildcards - so it's clear,
members have some element of data driving their concerns, such that the PSL
didn't raise concerns, but this does. We need to have a discussion of that
data, and the use cases - not abstract hypotheticals of maybe costs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161028/d82e172e/attachment-0003.html>

More information about the Public mailing list