On Thursday, September 1, 2016 at 12:07:48 AM UTC-7, Hanno Böck wrote: > Good thing: Can be easily tested by others whether a CA implements it > and it may reduce misissuances. > > I'm inclined to say every CA should implement CAA, but it seems last > time this was discussed in the CA/Browser-Forum they agreed to make > this a SHOULD, not a MUST.
There's still concern about how the practical implementation would work. That's the curse of some WGs - due to a variety of externalities, rough consensus may be formed, but running code - especially operational - leads to practical challenges. We see this with RFC 6962 (and RFC 6962-bis), we saw this with HPKP, and I would argue, we see this with CAA as well. What was discussed in the Forum is the lack of defined policies for what it means to "implement CAA". For example, if Trustwave were to see a CAA record for "symantec.com", could it issue the cert? Why or why not? To what forms does the CAA record apply with regards to issuance - for example, if a CA were to go in person, sit down in front of the CTO/COO, verify their passport, verify with their lawyers that the CTO was duly authorized, then even if the CAA record said otherwise, could they issue then? During the Forum discussion, it was clear that Symantec's representative had some confusion about CAA, which similarly suggests that we will likely see the same implementation issues in CAs that have lead to the many RFC 5280 violations, but as CAA is designed as an issuer-side check, at time of issuance, there will be no way for the community to evaluate such compliance. To be clear: I'm an ardent supporter of CAA. I, ideally, want to see CAs leading the way in thinking through the issues related to CAA, and the risks their businesses may face, and how best to address them. I'd like to avoid policy by fiat if possible, but support it if that's what it takes to solve the current first mover problem. But I think that if we do entertain this option, and if it does come to needing root store fiat, there definitely needs to be a clear consensus on the appropriate policies for implementation, and it may take some delicate hand-holding of CAs (... with ample publicly available test cases) to help them evaluate their issuance systems. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
