I agree that CAA is much more comprehensive, and would achieve what you 
describe.  Just wanted to point out that there are already many safeguards in 
place for many / most CAs to prevent accidental issuance of very high value 
domains that would likely come before a CAA check, so we are not defenseless 
today.  But you are right, this hard-wired stop list would not reach or protect 
all companies who put a CAA limit in their DNS record.  I doubt that many of 
these domains are targets of fraudsters compared to the highest level targets.

-----Original Message-----
From: Gervase Markham [mailto:g...@mozilla.org] 
Sent: Tuesday, October 18, 2016 1:36 AM
To: Kirk Hall <kirk.h...@entrust.com>; public@cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA

Hi Kirk,

On 17/10/16 18:07, Kirk Hall via Public wrote:
> Gerv, one other point to consider is that many CAs already have hard 
> stops that can't be easily overridden for the highest value names you 
> listed ("Google or Yahoo or Microsoft" - or Mozilla), so a hard stop 
> with CAA would never even be reached via automated requests for those 
> domains.

Indeed, I am aware of this. However, one problem with such a system is that the 
domains chosen may well be culturally-conditioned and perhaps not updated often 
- what are the key popular websites in Indonesia? Or Brazil? Or Turkey? And are 
they the same ones that were important last year?

Still, it's very relevant that you point out this fact, because the point in a 
CA's issuance process where this happens is exactly the point where I would 
tell them to insert the CAA check.

In other words, instead of having a static list of high value names assembled 
by the CA (which no-one seems to have a problem with, and all would say is best 
practice), I am saying we should have a dynamic list of high value names 
assembled by the domain owners, with membership of that list indicated by 
setting a CAA record. And the effect on the CA's issuance process should be the 
same "hard stop that can't be easily overridden" that you mention is now the 
case for Google, Yahoo and Microsoft.

Public mailing list

Reply via email to