Re: [cabfpub] [Ext] Voting has started on Ballot 21 - CAA Discovery CNAME Errata

2017-09-21 Thread Paul Hoffman via Public 
Related to this tread, a post on the dns-operations mailing list from just now:

https://lists.dns-oarc.net/pipermail/dns-operations/2017-September/016752.html
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Ballot 213 - Revocation Timeline Extension

2017-09-21 Thread Gervase Markham via Public 
On 20/09/17 01:26, Ryan Sleevi wrote:
> I appreciate your suggestion of a solution, but I'm not quite sure I
> understand your concerns. Apologies for that, but it would be great if
> you could elaborate why you feel it may be "overreaching". I had hoped
> my explanation provided context how it's both relevant and applicable to
> the activities of the CA/Browser Forum, and independent of any
> particular Root Stores perspective.

That was responding to a point made by you; you said it might be
inappropriate for the CAB Forum to require posting to m.d.s.p. And I
agree - it's outside the CAB Forum's remit. This is what I meant by the
"overreaching" I was avoiding. My proposed solution is that the BRs
require the existence of the report, and the root program requirements
say where it needs to be placed.

> In this context, I think it's useful to consider what is fundamentally a
> very simple proposal:
> - the CA/B Forum can establish a list that allows publishing of such reports
> - The Baseline Requirements require posting such results to that list

I'm ambivalent. It's one more thing for a CA to remember to do, and as
a root program person who will be requiring them to be sent to me
anyway, it doesn't add value for me. But I have no strong objection :-)

Gerv
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Voting has started on Ballot 21(4) - CAA Discovery CNAME Errata

2017-09-21 Thread Christopher Kemmerer via Public 

SSL.com votes yes.


On 9/20/2017 7:54 PM, Kirk Hall via Public wrote:


Voting has started on Ballot 214 – CAA Discovery CNAME Errata.

Technically, the Discussion period ended at 22:00 UTC today (which was 
3:00 pm Pacific Time).  Josh, as the Proposer of the Ballot, accepted 
Gerv and Tim’s email suggestion as to a 3-month transition period, but 
this acceptance occurred at 5:05 pm Pacific Time, two hours after the 
end of the discussion period.  Also, we don’t have specific amendment 
language to consider, only a concept.


Regrettably, I think it’s too late for this transition period 
amendment, *_so we are voting on Ballot 214 as originally proposed_* 
(see below).  If there is a need for a transition period, I think it’s 
best if it’s proposed by a separate ballot with specific language.


*From:*Public [mailto:public-boun...@cabforum.org] *On Behalf Of 
*Jacob Hoffman-Andrews via Public

*Sent:* Wednesday, September 13, 2017 2:31 PM
*To:* CABFPub 
*Subject:* [EXTERNAL][cabfpub] Ballot 214: CAA Discovery CNAME Errata

Kicking off the official discussion period for ballot 214 today per 
discussion with Phillip.


The following motion has been proposed by Phillip Hallam-Baker of 
Comodo Group Inc. and endorsed by Gervase Markham of Mozilla and Mads 
Egil Henriksveen of Buypass.


-- MOTION BEGINS --

In the Baseline Requirements v1.4.9 Section 3.2.2.8. CAA Records

Strike:

As part of the issuance process, the CA MUST check for a CAA record 
for each dNSName in the subjectAltName extension of the certificate to 
be issued, according to the procedure in RFC 6844, following the 
processing instructions set down in RFC 6844 for any records found. If 
the CA issues, they MUST do so within the TTL of the CAA record, or 8 
hours, whichever is greater.


Replace with:

As part of the issuance process, the CA MUST check for CAA records and 
follow the processing instructions for any records found, for each 
dNSName in the subjectAltName extension of the certificate to be 
issued, as specified in RFC 6844 as amended by Errata 5065 (Appendix 
A). If the CA issues, they MUST do so within the TTL of the CAA 
record, or 8 hours, whichever is greater.



In the Baseline Requirements ADD an Appendix A that reads:

Appendix A -- RFC6844 Errata 5065

The following errata report has been held for document update for 
RFC6844, "DNS Certification Authority Authorization (CAA) Resource 
Record".


--
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5065

--
Status: Held for Document Update
Type: Technical

Reported by: Phillip Hallam-Baker > Date Reported: 2017-07-10 Held by: EKR 
(IESG)


Section: 4

Original Text
-
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and R(A(X)) is not empty, then R(X) =
  R(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is empty.

Corrected Text
--
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record chain specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
  CAA(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is empty.

  Thus, when a search at node X returns a CNAME record, the CA will
  follow the CNAME record chain to its target. If the target label
  contains a CAA record, it is returned.

  Otherwise, the CA continues the search at
  the parent of node X.

  Note that the search does not include the parent of a target of a
  CNAME record (except when the CNAME points back to its own path).

  To prevent resource exhaustion attacks, CAs SHOULD limit the length of
  CNAME chains that are accepted. However CAs MUST process CNAME
  chains that contain 8 or fewer CNAME records.

--Motion Ends--

The procedure for approval of this Final Maintenance Guideline ballot 
is as follows (exact start and end times may be adjusted to comply 
with applicable Bylaws and IPR Agreement):


BALLOT 214 Status:   Final Maintenance Guideline    Start time (22:00 
UTC)    End time (22:00 UTC)


Discussion begins now and ends September 20, 2017 22:00 UTC (7 days)

Vote for approval begins September 20, 2017 22:00 UTC and ends 
September 27, 2017 22:00 UTC (7 days)


If vote approves ballot: Review Period (Chair to send Review Notice) 
(30 days). If Exclusion Notice(s) filed, ballot approval

Re: [cabfpub] Ballot 190 and BR v. 1.5.2

2017-09-21 Thread Kirk Hall via Public 
I would vote for just correcting Ballot 190 per the changes in Ballot 204 (that 
was effectively our intent with the two ballots - 204 was drafted after 190) 
without an errata ballot, but if anyone wants an errata ballot, that's fine too.

From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Ben Wilson via 
Public
Sent: Thursday, September 21, 2017 8:23 AM
To: CABFPub 
Subject: [EXTERNAL][cabfpub] Ballot 190 and BR v. 1.5.2

With passage of Ballot 190, I have created a new version 1.5.2 of the Baseline 
Requirements, which I'll post shortly to the Forum website.  However, we've 
noticed in creating this version 1.5.2 that Ballot 190 was drafted before 
passage of Ballot 204, which removed "or Delegated Third Party" from section 
3.2.2.4.  Ballot 190 inadvertently added "or Delegated Third Party" back into 
the Baseline Requirements.  So Rich Smith, Tim Hollebeek and I are going to 
propose an errata ballot to re-remove "or Delegated Third Party" from section 
3.2.2.4, unless everyone thinks that the intent of Ballot 204 should supersede 
the contradictory language in Ballot 190.

Ben Wilson, JD, CISA, CISSP
VP Compliance
+1 801 701 9678
[cid:image002.jpg@01D332BD.F9013510]

___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

[cabfpub] Ballot 190 and BR v. 1.5.2

2017-09-21 Thread Ben Wilson via Public 
With passage of Ballot 190, I have created a new version 1.5.2 of the
Baseline Requirements, which I'll post shortly to the Forum website.
However, we've noticed in creating this version 1.5.2 that Ballot 190 was
drafted before passage of Ballot 204, which removed "or Delegated Third
Party" from section 3.2.2.4.  Ballot 190 inadvertently added "or Delegated
Third Party" back into the Baseline Requirements.  So Rich Smith, Tim
Hollebeek and I are going to propose an errata ballot to re-remove "or
Delegated Third Party" from section 3.2.2.4, unless everyone thinks that the
intent of Ballot 204 should supersede the contradictory language in Ballot
190.

 

Ben Wilson, JD, CISA, CISSP

VP Compliance

+1 801 701 9678



 



smime.p7s
Description: S/MIME cryptographic signature
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Voting has started on Ballot 214 - CAA Discovery CNAME Errata

2017-09-21 Thread Frank Corday via Public 
Trustwave votes NO to Ballot 214

Without a transition period, and the possibility of a subsequent transition 
period ballot failure, this scenario would create an awkward position for those 
which properly complied with the original BR CNAME requirements.

Trustwave would be supportive of Ballot 214 if the agreed transition period can 
be included.

From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Kirk Hall via 
Public
Sent: Wednesday, September 20, 2017 8:56 PM
To: CA/Browser Forum Public Discussion List 
mailto:public@cabforum.org>>
Subject: Re: [cabfpub] Voting has started on Ballot 214 - CAA Discovery CNAME 
Errata

Correcting subject line to Ballot 214

From: Kirk Hall
Sent: Wednesday, September 20, 2017 5:55 PM
To: CA/Browser Forum Public Discussion List 
mailto:public@cabforum.org>>
Subject: Voting has started on Ballot 21 - CAA Discovery CNAME Errata

Voting has started on Ballot 214 – CAA Discovery CNAME Errata.

Technically, the Discussion period ended at 22:00 UTC today (which was 3:00 pm 
Pacific Time).  Josh, as the Proposer of the Ballot, accepted Gerv and Tim’s 
email suggestion as to a 3-month transition period, but this acceptance 
occurred at 5:05 pm Pacific Time, two hours after the end of the discussion 
period.  Also, we don’t have specific amendment language to consider, only a 
concept.

Regrettably, I think it’s too late for this transition period amendment, so we 
are voting on Ballot 214 as originally proposed (see below).  If there is a 
need for a transition period, I think it’s best if it’s proposed by a separate 
ballot with specific language.


From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Jacob 
Hoffman-Andrews via Public
Sent: Wednesday, September 13, 2017 2:31 PM
To: CABFPub mailto:public@cabforum.org>>
Subject: [EXTERNAL][cabfpub] Ballot 214: CAA Discovery CNAME Errata

Kicking off the official discussion period for ballot 214 today per discussion 
with Phillip.

The following motion has been proposed by Phillip Hallam-Baker of Comodo Group 
Inc. and endorsed by Gervase Markham of Mozilla and Mads Egil Henriksveen of 
Buypass.

-- MOTION BEGINS --

In the Baseline Requirements v1.4.9 Section 3.2.2.8. CAA Records

Strike:

As part of the issuance process, the CA MUST check for a CAA record for each 
dNSName in the subjectAltName extension of the certificate to be issued, 
according to the procedure in RFC 6844, following the processing instructions 
set down in RFC 6844 for any records found. If the CA issues, they MUST do so 
within the TTL of the CAA record, or 8 hours, whichever is greater.

Replace with:

As part of the issuance process, the CA MUST check for CAA records and follow 
the processing instructions for any records found, for each dNSName in the 
subjectAltName extension of the certificate to be issued, as specified in RFC 
6844 as amended by Errata 5065 (Appendix A). If the CA issues, they MUST do so 
within the TTL of the CAA record, or 8 hours, whichever is greater.


In the Baseline Requirements ADD an Appendix A that reads:

Appendix A -- RFC6844 Errata 5065

The following errata report has been held for document update for RFC6844, "DNS 
Certification Authority Authorization (CAA) Resource Record".

--
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5065

--
Status: Held for Document Update
Type: Technical

Reported by: Phillip Hallam-Baker 
mailto:phill...@comodo.com>> Date Reported: 2017-07-10 
Held by: EKR (IESG)

Section: 4

Original Text
-
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and R(A(X)) is not empty, then R(X) =
  R(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is empty.

Corrected Text
--
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record chain specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
  CAA(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is empty.

  Thus, when a search at node X returns a CNAME record, the CA will
  follow the CNAME record chain to its target. If the target label
  contains a CAA record, it is returned.

  Otherwise, the CA continues the s

Re: [cabfpub] [EXTERNAL]RE: Voting has started on Ballot 21 - CAA Discovery CNAME Errata

2017-09-21 Thread Tim Hollebeek via Public 
The problem is that 214 could pass and the transition period ballot could fail, 
and that puts anyone who properly complied with the original BR CNAME 
requirements in an awkward position.

I think the better solution is to start a 7 discussion period for a replacement 
ballot, and accept that people are going to have to wait an additional 8 days 
to use the errata.

-Tim

From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Kirk Hall via 
Public
Sent: Wednesday, September 20, 2017 9:20 PM
To: Phillip ; 'CA/Browser Forum Public Discussion List' 

Subject: Re: [cabfpub] [EXTERNAL]RE: Voting has started on Ballot 21 - CAA 
Discovery CNAME Errata

If you want an amendment, propose it tomorrow, with a line to the effect that 
the amendment only takes effect if Ballot 214 is approved.  Start a new 7 day 
discussion period, 7 day voting period, and it will only lag by about 8 days.

From: Phillip [mailto:phill...@comodo.com]
Sent: Wednesday, September 20, 2017 6:17 PM
To: Kirk Hall 
mailto:kirk.h...@entrustdatacard.com>>; 
'CA/Browser Forum Public Discussion List' 
mailto:public@cabforum.org>>
Subject: [EXTERNAL]RE: [cabfpub] Voting has started on Ballot 21 - CAA 
Discovery CNAME Errata

Damn, I was off mail today due to unforeseen circumstances.

Technically, I was the proposer of the motion, not that it matters. Josh posted 
it.


From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Kirk Hall via 
Public
Sent: Wednesday, September 20, 2017 8:55 PM
To: CA/Browser Forum Public Discussion List 
mailto:public@cabforum.org>>
Subject: [cabfpub] Voting has started on Ballot 21 - CAA Discovery CNAME Errata

Voting has started on Ballot 214 – CAA Discovery CNAME Errata.

Technically, the Discussion period ended at 22:00 UTC today (which was 3:00 pm 
Pacific Time).  Josh, as the Proposer of the Ballot, accepted Gerv and Tim’s 
email suggestion as to a 3-month transition period, but this acceptance 
occurred at 5:05 pm Pacific Time, two hours after the end of the discussion 
period.  Also, we don’t have specific amendment language to consider, only a 
concept.

Regrettably, I think it’s too late for this transition period amendment, so we 
are voting on Ballot 214 as originally proposed (see below).  If there is a 
need for a transition period, I think it’s best if it’s proposed by a separate 
ballot with specific language.


From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Jacob 
Hoffman-Andrews via Public
Sent: Wednesday, September 13, 2017 2:31 PM
To: CABFPub mailto:public@cabforum.org>>
Subject: [EXTERNAL][cabfpub] Ballot 214: CAA Discovery CNAME Errata

Kicking off the official discussion period for ballot 214 today per discussion 
with Phillip.

The following motion has been proposed by Phillip Hallam-Baker of Comodo Group 
Inc. and endorsed by Gervase Markham of Mozilla and Mads Egil Henriksveen of 
Buypass.

-- MOTION BEGINS --

In the Baseline Requirements v1.4.9 Section 3.2.2.8. CAA Records

Strike:

As part of the issuance process, the CA MUST check for a CAA record for each 
dNSName in the subjectAltName extension of the certificate to be issued, 
according to the procedure in RFC 6844, following the processing instructions 
set down in RFC 6844 for any records found. If the CA issues, they MUST do so 
within the TTL of the CAA record, or 8 hours, whichever is greater.

Replace with:

As part of the issuance process, the CA MUST check for CAA records and follow 
the processing instructions for any records found, for each dNSName in the 
subjectAltName extension of the certificate to be issued, as specified in RFC 
6844 as amended by Errata 5065 (Appendix A). If the CA issues, they MUST do so 
within the TTL of the CAA record, or 8 hours, whichever is greater.


In the Baseline Requirements ADD an Appendix A that reads:

Appendix A -- RFC6844 Errata 5065

The following errata report has been held for document update for RFC6844, "DNS 
Certification Authority Authorization (CAA) Resource Record".

--
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5065

--
Status: Held for Document Update
Type: Technical

Reported by: Phillip Hallam-Baker 
mailto:phill...@comodo.com>> Date Reported: 2017-07-10 
Held by: EKR (IESG)

Section: 4

Original Text
-
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and R(A(X)) is not empty, then R(X) =
  R(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is em

Re: [cabfpub] Voting has started on Ballot 214 - CAA Discovery CNAME Errata

2017-09-21 Thread Stephen Davidson via Public 
QuoVadis votes yes.

Stephen





From: Kirk Hall
Sent: Wednesday, September 20, 2017 5:55 PM
To: CA/Browser Forum Public Discussion List 
mailto:public@cabforum.org>>
Subject: Voting has started on Ballot 21 - CAA Discovery CNAME Errata



Voting has started on Ballot 214 – CAA Discovery CNAME Errata.



Technically, the Discussion period ended at 22:00 UTC today (which was 3:00 pm 
Pacific Time).  Josh, as the Proposer of the Ballot, accepted Gerv and Tim’s 
email suggestion as to a 3-month transition period, but this acceptance 
occurred at 5:05 pm Pacific Time, two hours after the end of the discussion 
period.  Also, we don’t have specific amendment language to consider, only a 
concept.



Regrettably, I think it’s too late for this transition period amendment, so we 
are voting on Ballot 214 as originally proposed (see below).  If there is a 
need for a transition period, I think it’s best if it’s proposed by a separate 
ballot with specific language.





From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Jacob 
Hoffman-Andrews via Public
Sent: Wednesday, September 13, 2017 2:31 PM
To: CABFPub mailto:public@cabforum.org>>
Subject: [EXTERNAL][cabfpub] Ballot 214: CAA Discovery CNAME Errata



Kicking off the official discussion period for ballot 214 today per discussion 
with Phillip.



The following motion has been proposed by Phillip Hallam-Baker of Comodo Group 
Inc. and endorsed by Gervase Markham of Mozilla and Mads Egil Henriksveen of 
Buypass.

-- MOTION BEGINS --

In the Baseline Requirements v1.4.9 Section 3.2.2.8. CAA Records

Strike:

As part of the issuance process, the CA MUST check for a CAA record for each 
dNSName in the subjectAltName extension of the certificate to be issued, 
according to the procedure in RFC 6844, following the processing instructions 
set down in RFC 6844 for any records found. If the CA issues, they MUST do so 
within the TTL of the CAA record, or 8 hours, whichever is greater.

Replace with:

As part of the issuance process, the CA MUST check for CAA records and follow 
the processing instructions for any records found, for each dNSName in the 
subjectAltName extension of the certificate to be issued, as specified in RFC 
6844 as amended by Errata 5065 (Appendix A). If the CA issues, they MUST do so 
within the TTL of the CAA record, or 8 hours, whichever is greater.


In the Baseline Requirements ADD an Appendix A that reads:

Appendix A -- RFC6844 Errata 5065

The following errata report has been held for document update for RFC6844, "DNS 
Certification Authority Authorization (CAA) Resource Record".

--
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5065

--
Status: Held for Document Update
Type: Technical

Reported by: Phillip Hallam-Baker 
mailto:phill...@comodo.com>> Date Reported: 2017-07-10 
Held by: EKR (IESG)

Section: 4

Original Text
-
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and R(A(X)) is not empty, then R(X) =
  R(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is empty.

Corrected Text
--
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record chain specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
  CAA(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is empty.

  Thus, when a search at node X returns a CNAME record, the CA will
  follow the CNAME record chain to its target. If the target label
  contains a CAA record, it is returned.

  Otherwise, the CA continues the search at
  the parent of node X.

  Note that the search does not include the parent of a target of a
  CNAME record (except when the CNAME points back to its own path).

  To prevent resource exhaustion attacks, CAs SHOULD limit the length of
  CNAME chains that are accepted. However CAs MUST process CNAME
  chains that contain 8 or fewer CNAME records.

--Motion Ends--

The procedure for approval of this Final Maintenance Guideline ballot is as 
follows (exact start and end times may be adjusted to comply with applicable 
Bylaws and IPR Agreement):

BALLOT 214 Status:   Final Maintenance GuidelineStart time (22:00 UTC)
End time (22:00 UTC)

Discussion begins now and ends September 20, 2017 22:00 UTC (7 days)

Vote for approval begins September 20, 2017 22:00 U

Re: [cabfpub] Voting has started on Ballot 214 - CAA Discovery CNAME Errata

2017-09-21 Thread Doug Beattie via Public 
GlobalSign votes YES


From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Kirk Hall via 
Public
Sent: Wednesday, September 20, 2017 8:56 PM
To: CA/Browser Forum Public Discussion List 
Subject: Re: [cabfpub] Voting has started on Ballot 214 - CAA Discovery CNAME 
Errata

Correcting subject line to Ballot 214

From: Kirk Hall
Sent: Wednesday, September 20, 2017 5:55 PM
To: CA/Browser Forum Public Discussion List 
mailto:public@cabforum.org>>
Subject: Voting has started on Ballot 21 - CAA Discovery CNAME Errata

Voting has started on Ballot 214 – CAA Discovery CNAME Errata.

Technically, the Discussion period ended at 22:00 UTC today (which was 3:00 pm 
Pacific Time).  Josh, as the Proposer of the Ballot, accepted Gerv and Tim’s 
email suggestion as to a 3-month transition period, but this acceptance 
occurred at 5:05 pm Pacific Time, two hours after the end of the discussion 
period.  Also, we don’t have specific amendment language to consider, only a 
concept.

Regrettably, I think it’s too late for this transition period amendment, so we 
are voting on Ballot 214 as originally proposed (see below).  If there is a 
need for a transition period, I think it’s best if it’s proposed by a separate 
ballot with specific language.


From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Jacob 
Hoffman-Andrews via Public
Sent: Wednesday, September 13, 2017 2:31 PM
To: CABFPub mailto:public@cabforum.org>>
Subject: [EXTERNAL][cabfpub] Ballot 214: CAA Discovery CNAME Errata

Kicking off the official discussion period for ballot 214 today per discussion 
with Phillip.

The following motion has been proposed by Phillip Hallam-Baker of Comodo Group 
Inc. and endorsed by Gervase Markham of Mozilla and Mads Egil Henriksveen of 
Buypass.

-- MOTION BEGINS --

In the Baseline Requirements v1.4.9 Section 3.2.2.8. CAA Records

Strike:

As part of the issuance process, the CA MUST check for a CAA record for each 
dNSName in the subjectAltName extension of the certificate to be issued, 
according to the procedure in RFC 6844, following the processing instructions 
set down in RFC 6844 for any records found. If the CA issues, they MUST do so 
within the TTL of the CAA record, or 8 hours, whichever is greater.

Replace with:

As part of the issuance process, the CA MUST check for CAA records and follow 
the processing instructions for any records found, for each dNSName in the 
subjectAltName extension of the certificate to be issued, as specified in RFC 
6844 as amended by Errata 5065 (Appendix A). If the CA issues, they MUST do so 
within the TTL of the CAA record, or 8 hours, whichever is greater.


In the Baseline Requirements ADD an Appendix A that reads:

Appendix A -- RFC6844 Errata 5065

The following errata report has been held for document update for RFC6844, "DNS 
Certification Authority Authorization (CAA) Resource Record".

--
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5065

--
Status: Held for Document Update
Type: Technical

Reported by: Phillip Hallam-Baker 
mailto:phill...@comodo.com>> Date Reported: 2017-07-10 
Held by: EKR (IESG)

Section: 4

Original Text
-
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and R(A(X)) is not empty, then R(X) =
  R(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is empty.

Corrected Text
--
   Let CAA(X) be the record set returned in response to performing a CAA
   record query on the label X, P(X) be the DNS label immediately above
   X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
   alias record chain specified at the label X.

   o  If CAA(X) is not empty, R(X) = CAA (X), otherwise

   o  If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
  CAA(A(X)), otherwise

   o  If X is not a top-level domain, then R(X) = R(P(X)), otherwise

   o  R(X) is empty.

  Thus, when a search at node X returns a CNAME record, the CA will
  follow the CNAME record chain to its target. If the target label
  contains a CAA record, it is returned.

  Otherwise, the CA continues the search at
  the parent of node X.

  Note that the search does not include the parent of a target of a
  CNAME record (except when the CNAME points back to its own path).

  To prevent resource exhaustion attacks, CAs SHOULD limit the length of
  CNAME chains that are accepted. However CAs MUST process CNAME
  chains that contain 8 or fewer CNAME records.

--Motion Ends--

The procedure for approval of this Final Maintenance Guideline ballot is as 
follows (exact start and end times may be adjusted t

Re: [cabfpub] Voting has started on Ballot 214 - CAA Discovery CNAME Errata

2017-09-21 Thread Gervase Markham via Public 
Mozilla votes YES.

Gerv
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public