I'd like to restart discussion on some points raised back in Bilbao [1] in May.
The most contentious point, I think, was what the CA could and should do if it finds a CAA record set that doesn't include the CA. At the meeting, these options were discussed: 1) Discuss with the subscriber and ask them to update the CAA record (possibly issue the cert if the subscriber can't update the record, or can't do it in a reasonable timeframe) 2) Treat the request as "High Risk" (defined in the BRs) 3) Contact the domain holder based on whois info 4) Require EV-level validation (thought by some to be overkill for DV certs) Some opposed Option 1 because it's not a "hard block". Option 2 has the benefit of being defined in the BRs, but the BRs just say "The CA SHALL develop, maintain, and implement documented procedures that identify and require additional verification activity for High Risk Certificate Requests prior to the Certificate's approval..." It's not clear to me what additional verification activity would be performed beyond Option 1. Option 3 isn't reliable because some domain registrations don't contain contact information. Option 4 seems like a possibility, if we can agree on which verification methods in the EVGL are appropriate. Perhaps Section 11.8.3. Acceptable Methods of Verification - Authority? Additionally, I'd like to address this point: 'Ryan pointed out that, at present, nothing would prevent Neil from stating in his CP/CPS that his CA will issue certificates if he sees a CAA record for "symantec.com" '. If Neil adopted that policy, wouldn't it violate RFC 6844, which says "The issue property entry authorizes the holder of the domain name <Issuer Domain Name> or a party acting under the explicit authority of the holder of that domain name to issue certificates for the domain in which the property is published."? [1] https://cabforum.org/wiki/Meeting%2038%20Minutes#CAA_.28RFC_6844.29 -Rick
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public