On Mon, Sep 11, 2017 at 3:09 PM Jonathan Rudenberg via dev-security-policy < [email protected]> wrote:
> > > On Sep 11, 2017, at 17:41, Ryan Sleevi via dev-security-policy < > [email protected]> wrote: > > > > That seems like very poor logic and justification. > > > > Given that CAA and DNSSEC has been discussed in the CA/Browser Forum for > > literally years now, perhaps it's worth asking why CAs are only now > > discovering issues. That is, is the only reason we're discovering issues > > because CAs waited for the last possible moment? If so, why. > > I think the BR clause that brings DNSSEC in is poorly drafted. Why? It seems like the intent may be to require full DNSSEC validation for CAA > lookups, but that’s not what it says. I don’t think the issues under > discussion have anything to do with the last moment. There appear to be > significant differences in understanding, which were not discussed publicly > until now. The ideal path here would have been for CAs to consult with the > community about the interpretation and implementation details of this > clause well before it came into force. I'm not sure I would agreee with that, because it is completely unmeasurable, and every CA being "compliant" with such a requirement would still have resulted in the same outcome. > > Additionally, it may be a stretch to say that DNSSEC in the context of CAA > has been discussed extensively. I'm not sure I understand why you feel some special discussion is or was necessary, given the discussion that occurred in IETF on this. That is, are you asserting that these issues - such as CAs not even checking CAA - are because of the ballot language? I’m not familiar with relevant discussions that are not indexed by Google, > but when I researched this I only found a few exchanges about this specific > requirement on the public mailing list. This was discussed at nearly every single F2F since late 2013/early 2014. The DNSSEC discussion was very much part of the IETF discussions. What discussions do you feel should have happened, but didn't? > > > I think arguments that suggest that failing to do the right thing makes > it > > OK to do the wrong thing are the worst arguments to make :) > > My argument is not that it’s okay to do the wrong thing. Instead, I think > it’s worth evaluating the DNSSEC requirement to decide whether it should > continue to be defined as "the right thing” in the BRs. I did not see any > such analysis on cabfpub. I'm surprised to even see the suggestion that it isn't. Do you feel the security considerations are insufficiently documented in the CAA RFC? Do you feel it's not sufficiently obvious the risks of not using DNSSEC? This feels very knee-jerk, but I may be misunderstanding part of your argument. Perhaps you could do a small write-up of why you feel things are problematic, since the original argument - which seems to be "some CAs had trouble" - is not at all compelling given the facts and the years of discussion that lead up to this ballot. > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
