Question on CAA processing for mixed wildcard and non-wildcard SAN DNS names

Wed, 15 Nov 2017 05:11:39 -0800 

Hi all,

I have a question regarding processing of CAA records for “wildcard 
certificates”.

Let’s assume the following CSR:

     X509v3 Subject Alternative Name: 
           DNS: *.example.com
           DNS: example.com

Per BR, every SAN DNS name must be checked separately.
Now, my interpretation would be that for *.example.com, you would query 
example.com for an “issuewild" entry,
and for example.com, you would query example.com for an "issue" entry. 

What if the zone file looks like this:
        example.com 0 CAA 0 issue “;”
        example.com 0 CAA 0 issuewild “yourca”

My interpretation would be that “yourca” (as any other CA) would not be 
permitted to issue this certificate, 
as it is not allowed to issue for the non-wildcard part example.com. 

A plunge through the related documents [see appendix] seems to point in that 
direction, but I still have doubts. 

What is the community interpretation?

Kind regards
Quirin 

---------

Appendix:

BR defines a wildcard certificate as "Wildcard Certificate: A Certificate 
containing an asterisk (*) in the left‐most position of any of the Subject 
Fully‐Qualified Domain Names contained in the Certificate.”  —> This means that 
the whole certificate is a wildcard certificate.

—

RFC2818:

> Names may contain the wildcard character * which is considered to match any 
> single domain name  component or component fragment. E.g., *.a.com matches 
> foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

—> example.com is not part of *.example.com

RFC6844:

> "   issuewild <Issuer Domain Name> [; <name>=<value> ]* :  The issuewild
>   property entry authorizes […] to issue wildcard certificates for the
>   domain in which the property is published."


> "Given a request for a specific domain X, or a request for a wildcard
> domain *.X, the relevant record set R(X) is determined as follows:”

—> The 'relevant record set' is specified per domain

> "issuewild properties MUST be ignored when processing a request for a
> domain that is not a wildcard domain." 

—> Especially this last paragraph seems to indicate that the CSR above would 
not be permitted to be issued. Also, it specifically uses “domain” and not 
“certificate”.

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to