[cabfpub] Ballot 187 - Make CAA Checking Mandatory

philliph at comodo.com philliph at comodo.com
Tue Feb 28 13:44:51 UTC 2017


We tried a few identifier schemes. Paul Hoffman suggested Domain Names as it is the DNS.

Once you have a domain name in the record, you can use it as the basis for automation, we can define additional records to specify where to go to get a cert.

'Machine readable CPS' was suggested in the 90s, its an AI complete problem. I think what was meant is mapping from the domain name to the set of roots permitted to issue. That is not an issue for IETF, could be for CABForum or for root programs.



> On Feb 28, 2017, at 4:37 AM, Gervase Markham via Public <public at cabforum.org> wrote:
> 
> On 27/02/17 21:23, Ryan Sleevi via Public wrote:
>>     1. As discussed on Twitter with Gerv and Jacob, there's no easy or
>>        unambiguous way to automate this lookup. Relatedly, I am a fan
>>        of Ryan's suggestion on making the CPS be machine-readable so
>>        these CAA values can be extracted by code rather than humans.
> 
> I wonder whether making all CPSes machine-readable is a bit of overkill.
> 
> I've been pondering the need for a central registry of security contact
> information for CAs. Perhaps that could also have a column for the
> domain names that CA recognises as permitting it to issue when present
> in a CAA record. It shouldn't be too hard to make this list human-readable.
> 
> We will seek this information for each CA in our program using our next
> CA Communication.
> 
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public




More information about the Public mailing list