RFC 6844: "The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify the Certification Authorities (CAs) authorized to issue certificates for that domain. "
CAA record checks would be outside the scope of revocation requests. I'm not sure I agree with " In any event, proof of ability to modify the authoritative DNS over each label in the certificate should almost certainly suffice to revoke a previously issued certificate that relied exclusively upon just about any other sort of domain validation." But only because I doubt every CA supports DNS checking, and I know several companies where the people operating the DNS are not the same entities authorized to manage certificates. -----Original Message----- From: dev-security-policy <dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org> On Behalf Of Matthew Hardeman via dev-security-policy Sent: Friday, June 1, 2018 5:17 PM To: Jeremy Rowley <[email protected]> Cc: mozilla-dev-security-policy <[email protected]>; Jakob Bohm <[email protected]>; Wayne Thayer <[email protected]> Subject: Re: Namecheap refused to revoke certificate despite domain owner changed On Fri, Jun 1, 2018 at 2:38 PM, Jeremy Rowley via dev-security-policy < [email protected]> wrote: > This is one of the reasons I think we should require an OID specifying > the validation method be included in the cert. Then you can require > the CA support revocation using the same validation process as was > used to confirm certificate authorization. With each cert logged in > CT, everyone in the world will know exactly how to revoke an > unauthorized or no-longer-wanted cert. > > I agree that it would be forensically interesting to have that data available in the certificate. I question whether a policy of using only the same method of demonstrating control anew is appropriate as a policy for granting revocation. There is a hierarchy of supremacy in domain validation. The party controlling the NS delegations from the registry has absolute precedence over the present effective DNS server administrator, should they choose to flex it. The party immediately in effective control of the authoritative DNS takes precedence over a website admin within the domain. Consider that now current CAA records and policy (for good cause, even) might presently prohibit successful validation via the method previously utilized to acquire the certificate that the current domain holder wishes to have revoked. (Even if only by specifying a new CA, rather than the CA that previously issued the certificate for which revocation is being sought.) Would you then advocate that if the validation can succeed -- save for the CAA mismatch -- that this be regarded as sufficient evidence to revoke? That probably deserves some careful thought. In any event, proof of ability to modify the authoritative DNS over each label in the certificate should almost certainly suffice to revoke a previously issued certificate that relied exclusively upon just about any other sort of domain validation. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
