On 24/10/16 17:26, Jeremy Rowley wrote: > 1) CAA is currently an issuance check rather than a validation check. As > mentioned during the face-to-face, this is a hurdle in fast issuance of > certificates. We liked Ryan's proposal of simply doing a refresh every X days > as a solution. By moving it to a validation check, CAs can have fast issuance > times without CAA holding up the process after the initial validation is > complete.
I think this is definitely worth exploring, and I am confident we can work out some reasonable parameters. However, I wonder if, if we are not checking CAA at every issuance, it would be wise for CAs to be required to implement a "no more certs, please" procedure where the customer can tell the CA to throw away all cached validation information, including the CAA check results. This could be automated in circumstances where the customer has a login. > 2) If a customer has a single base domain and needs to issue 6 million certs > an hour for the various sub domains, then there isn't a way for the CA to > simply accept the base domain's CAA record. I'm not sure how to address this without changing the way CAA works. AIUI it's specced to work from the requested domain down to the root. So I'm not sure I'd say this problem is "easily solved". Does PHB have a comment? Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
