Yes – thanks! I didn’t realize you could have CA specific properties.
From: Ryan Sleevi [mailto:[email protected]] Sent: Monday, May 15, 2017 12:59 PM To: CA/Browser Forum Public Discussion List <[email protected]> Cc: Jeremy Rowley <[email protected]> Subject: Re: [cabfpub] CAA Customer Identifier Jeremy, You can extend the CAA syntax with issuer-specific properties. Do you think it makes sense to first experiment with this deployment, and then subsequently report back? Namely, the syntax for the issue property tag is issue <Issuer Domain Name> [; <name>=<value> ]* The '<name>=<value>" portion allows you to define CA-specific properties without the registration of additional tags. For example, your 'customer ID' tag is clearly CA specific, while 'validation method' could be generic (if applied to the BRs) or could be a CA-specific construction (if more rigid than the BRs) For example, if DigiCert wanted, it could issue digicert.com <http://digicert.com> ;cid=1234;method=1.2.3.4 This syntax is expanded upon in Section 5.2, which includes the following: An issuer MAY choose to specify issuer-parameters that further constrain the issue of certificates by that issuer, for example, specifying that certificates are to be subject to specific validation polices, billed to certain accounts, or issued under specific trust anchors. The semantics of issuer-parameters are determined by the issuer alone. Does that help? On Mon, May 15, 2017 at 2:45 PM, Jeremy Rowley via Public <[email protected] <mailto:[email protected]> > wrote: Although CAA significantly narrows the scope of issuers, a tag identifying the customer/account where issuance permitted would significantly reduce spam domain control emails. Despite CAA limiting issuance of a domain to DigiCert, we may still have a dozen entities trying to request the same domain. In fact, I suspect the number of requested bad domains will increase on our side if a CAA record is present. Although we have methods to control spam validation emails, a bad actor could create accounts and annoy customers hoping the domain is inadvertently approved. To limit this, I’d like to create a CAA tag that is customerID. Something like: CAA 0 register “customer ID=[ID provided by CA]” The requirement in the RFC for creating tags is to register the tag with IANA. I thought I’d float the idea here first though. If there’s interest, we could combine it with a validation method restriction CAA 0 register “customer ID=[ID provided by CA] validationMethod=[Validation Method OID]” Jeremy _______________________________________________ Public mailing list [email protected] <mailto:[email protected]> https://cabforum.org/mailman/listinfo/public
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
