[cabfpub] Results on Ballot 187 - Make CAA Checking Mandatory

Phillip Hallam-Baker philliph at comodo.com
Thu Mar 9 14:08:49 UTC 2017


Lets hold off on a followup ballot until after I can talk to the IETF Security ADs in Chicago at the end of the month.

I would like us to decide exactly what handling we want for CNAME and DNAME and ensure the spec is completely clear and unambiguous. 

As to what the handling should be, I think this is an area where we need the CDNs to help us. We are never going to get a perfect approach because there is an inherent loss of information in the use of CNAME. We don’t know why they are being used.

CNAME does have the unfortunate requirement that the DNS node be otherwise empty which limits flexibility here. We could have a rule that when processing CNAME you process the initial domain path first before following the CNAME should it exist.




> On Mar 9, 2017, at 8:38 AM, Ryan Sleevi via Public <public at cabforum.org> wrote:
> 
> 
> 
> On Thu, Mar 9, 2017 at 5:31 AM, Gervase Markham via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
> Hi Kirk and all,
> 
> On 08/03/17 22:00, Kirk Hall via Public wrote:
> > The voting period for Ballot 187 has ended.  Here are the results.
> 
> Thank you for tabulating these results; I'm very happy to see such a
> degree of final consensus on what is, I know, a controversial issue. I
> remain committed to making sure that some of the fears of some members
> about abuse of this technology do not come to pass.
> 
> There is one small "bug" in the wording which was pointed out privately
> during the voting period, which I intend to fix in a quick ballot. At
> the moment the text says:
> 
> "CAs MUST respect the critical flag and reject any unrecognized
> properties with this flag set."
> 
> But this is not what should happen according to the CAA RFC. If there is
> an unrecognised property with the critical flag set, the CA should not
> just reject the property, they should fail closed. Here is an example of
> the problems one can get from trying to reproduce the intent and
> commands of an RFC in our documents, rather than just incorporating by
> reference :-)
> 
> I propose replacing the above sentence with the more accurate:
> 
> "CAs MUST respect the critical flag and not issue a certificate if they
> encounter an unrecognized property with this flag set."
> 
> I will be preparing a ballot to this effect in the next few days.
> Without reopening any of the other controversial issues related to CAA,
> if anyone else has wording clarifications for this section, send me an
> email.
> 
> Gerv
> 
> This bug was independently discovered by another person watching the ballot and pointed out to me this morning, so I wholly support that clarification, as I'm wholly responsible for that bug :)
> 
> The 'intent' was very much to say "reject the certificate", as stated in 6844, but my wording of "reject any unrecognized properties" left an ambiguity that it may be acceptable to ignore such properties and issue the certificate - the very opposite of what was intended and what we'd discussed, on the list, as the goal :)
> 
> I'd be happy to endorse such a correction, and think we should err on the side of caution by treating it as substantive (a ballot), rather than typographical, so I appreciate your suggestion and offer to formulate such a ballot.
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org>
> https://cabforum.org/mailman/listinfo/public <https://cabforum.org/mailman/listinfo/public>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170309/f6077b79/attachment-0002.html>


More information about the Public mailing list