On Wednesday, November 15, 2017 at 8:11:18 AM UTC-5, Quirin Scheitle wrote: > Hi all, > > I have a question regarding processing of CAA records for “wildcard > certificates”. > > Let’s assume the following CSR: > > X509v3 Subject Alternative Name: > DNS: *.example.com > DNS: example.com > > Per BR, every SAN DNS name must be checked separately. > Now, my interpretation would be that for *.example.com, you would query > example.com for an “issuewild" entry, > and for example.com, you would query example.com for an "issue" entry. > > What if the zone file looks like this: > example.com 0 CAA 0 issue “;” > example.com 0 CAA 0 issuewild “yourca” > > My interpretation would be that “yourca” (as any other CA) would not be > permitted to issue this certificate, > as it is not allowed to issue for the non-wildcard part example.com. > > A plunge through the related documents [see appendix] seems to point in that > direction, but I still have doubts. > > What is the community interpretation? > > Kind regards > Quirin > > --------- > > Appendix: > > BR defines a wildcard certificate as "Wildcard Certificate: A Certificate > containing an asterisk (*) in the left‐most position of any of the Subject > Fully‐Qualified Domain Names contained in the Certificate.” —> This means > that the whole certificate is a wildcard certificate. > > — > > RFC2818: > > > Names may contain the wildcard character * which is considered to match any > > single domain name component or component fragment. E.g., *.a.com matches > > foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com. > > —> example.com is not part of *.example.com > > RFC6844: > > > " issuewild <Issuer Domain Name> [; <name>=<value> ]* : The issuewild > > property entry authorizes […] to issue wildcard certificates for the > > domain in which the property is published." > > > > "Given a request for a specific domain X, or a request for a wildcard > > domain *.X, the relevant record set R(X) is determined as follows:” > > —> The 'relevant record set' is specified per domain > > > "issuewild properties MUST be ignored when processing a request for a > > domain that is not a wildcard domain." > > —> Especially this last paragraph seems to indicate that the CSR above would > not be permitted to be issued. Also, it specifically uses “domain” and not > “certificate”.
Hi Quirin, You are correct that the certificate will not issue. Here's a breakdown of the steps taken by the "yourca" CA to check CAA: 1) Retrieval of CAA records at "example.com" for SAN "*.example.com". 2) Both an "issue" and "issuewild" record exist, and the SAN "*.example.com" is a wildcard SAN, so the "issuewild" record has precedence over the "issue" record (RFC 6844, section 5.3 states: "issuewild properties take precedence over issue properties when specified"). 3) The identifying domain name in the "issuewild" record is compared with the set of yourca's identifying domain names. A matching identifying domain name is found, so the "yourca" CA is permitted to issue for "*.example.com". 4) Retrieval of CAA records at "example.com" for SAN "example.com". 5) As stated in step 2, both "issue" and "issuewild" records exist, but the SAN "example.com" is not a wildcard SAN, so the "issuewild" record is ignored (RFC 6844, section 5.3 states: "issuewild properties MUST be ignored when processing a request for a domain that is not a wildcard domain"). 5) The identifying domain name in the "issue" record is the empty string, so "yourca" can't issue for "example.com". 6) The issuance attempt fails. Hope that helps. Thanks, Corey Bonnell _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
