[cabfpub] Ballot 187 - Make CAA Checking Mandatory

Ryan Sleevi sleevi at google.com
Mon Feb 27 00:29:04 UTC 2017

Posting on behalf of mpalmer at hezmatt.org . Note, please do not take this as
an endorsement of the comments.

On Fri, Feb 24, 2017 at 3:08 PM, Ryan Sleevi <sleevi at google.com> wrote:
> My own is I'd be willing to deal with the increased risk (that comes from
> using "Example CA"'s DNS services, which would allow them to potentially
> issue a certificate in contravention of my CAA record), so long as it could
> be clear as a domain holder that I'm accepting that risk. If I didn't want
> it, I'd just choose to operate my DNS from someone who is not a CA
> (assuming I could determine that).

I'd like to ask for consideration of what I'd call the "Cloudflare problem"
providers who mandate the use of their DNS service in order to use other,
marginally-related services[1].  Were there an organisation which had a
"must delegate to us" policy which also operated a CA, they would, by this
suggestion that "DNS operator == full authoritah", have authority to issue
certificates for the domain.

While migrating away from (or deciding not to use) services which require
DNS delegation is, indeed, entirely possible, the bundling of other services
changes the migration calculus quite considerably.  Losing a number of other
useful, valuable services in order to maintain control over certificate
issuance is a lot harder to swallow than "just" migrating DNS.

My main concern, in the general case, is that a rule such as that proposed
would encourage more CA-affiliated services to put in place a "delegate
only" policy in order to allow an end-run around CAA checking.  I don't
think that serves the interests of any stakeholder in the WebPKI, other than

- Matt

[1] For those who aren't aware, in order to use Cloudflare's DDoS protection
    and other security services, you *must* delegate your domain to their
    DNS servers (with one or two exceptions that aren't relevant to 99%+ of
    all potential users of their service).  No delegation -> no service.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170226/3fbb5d8e/attachment-0003.html>

More information about the Public mailing list