I read it briefly but it seems to me like there's a significant failure/abuse scenario:
ISP controls an IP block that it portions out to customers. ISP has a web server and puts in the IP/IPv6 CAA records. Customers that use delegated IP space from the ISP can now only use those CAAs as well if they want to use this standard, correct? If this is correct, and I was a CA and read this I'd be building a PowerPoint deck for my sales team on how ISP's can partner with us to get a 20-50% commission on sales of certificates by doing this one simple thing... On Fri, Dec 2, 2022 at 9:23 AM Antonios Chariton <[email protected]> wrote: > Hello everyone, > > I have submitted the following Internet Draft to the IETF LAMPS Working > Group for consideration: > https://datatracker.ietf.org/doc/draft-chariton-ipcaa/ > > You can read the mailing list thread here: > https://mailarchive.ietf.org/arch/msg/spasm/dQLF1fQQPNX9A59YV4imXRz9ABw/ > > This proposes the creation of a new CAA record property, on top of the > existing ones, e.g. “issuewild”, that will allow an entity controlling an > IP address to benefit from the power of CAA records. > > The idea is to add CAA records to the “reverse DNS” zones, ip6.arpa and > in-addr.arpa, that support the hierarchical nature of DNS: a CAA record in > 2.0.0.c.d.3.d.0.a.2.ip6.arpa takes precedence over one in > 0.c.d.3.d.0.a.2.ip6.arpa > . > > As this is relevant to the WebPKI, I am sending this e-mail here to > solicit your feedback on the idea, any potential improvements, etc. > > Thanks, > Antonis > > GitHub Repo: https://github.com/daknob/draft-chariton-ipcaa > HTML: https://daknob.github.io/draft-chariton-ipcaa/ > TXT: https://daknob.github.io/draft-chariton-ipcaa/draft.txt > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/788376DF-8D67-48E0-AEE1-52085183217D%40gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/788376DF-8D67-48E0-AEE1-52085183217D%40gmail.com?utm_medium=email&utm_source=footer> > . > -- Kurt Seifried (He/Him) [email protected] -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa38YV3OgykOCm-x-OR0_Fh8WXNG6g7gNvcUGo9vwG3bKtQ%40mail.gmail.com.
