[cabfpub] Draft CAA motion (4)

Ryan Sleevi sleevi at google.com
Tue Jan 24 13:55:32 MST 2017

On Tue, Jan 24, 2017 at 12:03 PM, Doug Beattie via Public <
public at cabforum.org> wrote:

> Gerv,
> I’d like to propose a more detailed ballot for making CAA mandatory.  I
> worked on this with a couple of the CAs in CA Security Council and there is
> general consensus that we can support this ballot.  The intent is to be as
> clear as possible because CAs will be audited against this - let's not
> leave much room for interpretation (RFC 6844 was not precise in several
> areas).
> Key changes from your version:
> 1) Added this as an exception: The CAA check failed but was subsequently
> approved by an Enterprise RA or Certificate Approver with knowledge that
> the CAA check failed.
> 2) Increased cache time to 12 hours from 1 hour when a CAA record is found
> 3) Specified a cache time of 24 hours when no CAA record was found
> 4) Update the exemption for CAs being the DNS provider

Unfortunately, it doesn't seem you've really explained why you've made
these changes, nor how they improve security. Your opening suggests it's
because of clarity, but none of these seem to bring clarity - they only
seem to make it significantly weaker in practice.

Can you share the specific motivations for making these changes, so that
the public can be informed why CAs want to be more lax about Internet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170124/9a076b98/attachment.html>

More information about the Public mailing list