[cabfpub] Announcement: Requiring Certificate Transparency in 2017

[Note: This is cross-posted. The best venue for follow-up questions is the public mailing list at ct-pol...@chromium.org or the post at https://groups.google.com/a/chromium.org/d/msg/ct-policy/78N3SMcqUGw/ykIwHXuqAQAJ ] This past week at the 39th meeting of the CA/Browser Forum, the Chrome team

Re: [cabfpub] Continuing the discussion on CAA

Kirk, I can comment on amazonaws.com. AWS only has three CAs we use - Symantec/VeriSign, DigiCert, and Amazon. Here are some certificates that were not authorized by the domain registrant: https://crt.sh/?id=31536432 (StartCom) https://crt.sh/?id=30860174

Re: [cabfpub] Continuing the discussion on CAA

Kirk, It's sad to see your promise was so short lived. That is, the " I promise I will read the links carefully for the details you have provided. " promise you made one hour ago. Since your message is not appearing in the archives, I'll link you to the reply in which I quoted you, in the hopes

Re: [cabfpub] Continuing the discussion on CAA

Thanks Ryan – that is helpful. Can you tell us who ordered the two certificates you listed? By an employee, or by a fraudster? In what way was the googleusercontent.com cert “not authorized”? From: Ryan Sleevi [mailto:sle...@google.com] Sent: Monday, October 24, 2016 1:58 PM To: Kirk Hall

Re: [cabfpub] Continuing the discussion on CAA

On Mon, Oct 24, 2016 at 1:38 PM, Kirk Hall wrote: > Ryan, this discussion is happening on the Public list, and members of the > public were not at our meeting. > Which is why minutes of our phone calls and meetings are so important. > So please drop your

Re: [cabfpub] Continuing the discussion on CAA

Ryan, this discussion is happening on the Public list, and members of the public were not at our meeting. So please drop your quibbling, and just restate whatever evidence you have – on the Public list, so everyone can evaluate it – that CAA would have prevented any known misissuance of

Re: [cabfpub] Continuing the discussion on CAA

On Mon, Oct 24, 2016 at 12:09 PM, Kirk Hall wrote: > Yes, please provide the links to all – I certainly don’t remember any > details from what you have said in the past, and others feel the same way. > I promise I will read the links carefully for the details you

Re: [cabfpub] Clarification of the "CA" term in the BRs

Hi Peter, Things can be very complicated if we only decide to introduce every type of combination (keys, subject information, policy identifiers, extensions) :) The current BR language is ambiguous, but for a person who has enough knowledge and has been around the CA business for a while,

Re: [cabfpub] EXTERNAL: Re: Continuing the discussion on CAA

"CAA records MAY be used by Certificate Evaluators as a possible indicator of a security policy violation. Such use SHOULD take account of the possibility that published CAA records changed between the time a certificate was issued and the time at which the certificate was observed by

Re: [cabfpub] Continuing the discussion on CAA

On Mon, Oct 24, 2016 at 11:32 AM, Kirk Hall wrote: > Ryan, I have to admit I have not always understood your response on > Jeremy’s question (which I have asked myself). You have said at times “we > already answered that”, but I think many of us can’t recall what

Re: [cabfpub] EXTERNAL: Re: Continuing the discussion on CAA

> On 24/10/16 16:40, Jeremy Rowley via Public wrote: > > Has there been an issuance to a third party that CAA would have > prevented? We have an internal policy that describes which CAs are allowed for use, there have been cases where other teams or entities have issued a certificate that did

Re: [cabfpub] Continuing the discussion on CAA

Jeremy, This has been repeatedly asked on calls, and each time Google provides details about how it has prevented unauthorized issuance? Can we accept CAA has worked, helped for those CAs that check, and move on? On Mon, Oct 24, 2016 at 8:40 AM, Jeremy Rowley via Public < public@cabforum.org>

Re: [cabfpub] Clarification of the "CA" term in the BRs

Dimitris, Thank you for working on this. The lack of clarity with regards to “Root CA” and “Subordinate CA” is one that needs resolving to ensure all have a common understanding of what it expected of them. I also appreciate the objective to change as little as possible to get this clarity.

Re: [cabfpub] Continuing the discussion on CAA

Jeremy, I agree - For the Managed service model where CAs pre-vet domains we’d like to check CAA at the domain level and re-use that for all subdomains. Maybe we can tie CAA into the domain validation process and allow the application of CAA and domain validation to the same Authorization

Re: [cabfpub] Continuing the discussion on CAA

Thanks Gerv. Very useful. I think there are just three concerns with CAA I'd like to address before hard-fail is required: 1) CAA is currently an issuance check rather than a validation check. As mentioned during the face-to-face, this is a hurdle in fast issuance of certificates. We liked

Re: [cabfpub] Continuing the discussion on CAA

On Mon, Oct 24, 2016 at 7:37 AM, Gervase Markham via Public < public@cabforum.org> wrote: > Hi Eneli, > > On 24/10/16 12:08, Eneli Kirme via Public wrote: > > But consider this scenario: a hypothetical CoolCA approaching a DNS > > service provider, be it an ISP, domain registrar or some kind of

Re: [cabfpub] Continuing the discussion on CAA

Has there been an issuance to a third party that CAA would have prevented? Since there's no way to ensure compliance with a hard-fail CAA requirement, will CAA do anything useful? We don't mind CAA as a validation check, but I'm curious if anyone knows of an issued cert that would have been

Re: [cabfpub] Continuing the discussion on CAA

On 24/10/16 14:58, Peter Bowen wrote: > This could be very problematic for CAs that also do DNS hosting, as > it could result in a situation where a user who has authorization to > modify any DNS record in a zone could not modify CAA records because > they are not the "domain owner”. Then we need

Re: [cabfpub] Continuing the discussion on CAA

Hi Eneli, On 24/10/16 12:08, Eneli Kirme via Public wrote: > But consider this scenario: a hypothetical CoolCA approaching a DNS > service provider, be it an ISP, domain registrar or some kind of hosting > provider, with a proposal to include a CAA record pointing to the CoolCA > into their

Re: [cabfpub] Continuing the discussion on CAA

Hi all, Although we appreciate your concerns on protecting users from incapable CA-s, we’d like to point out that we as a small CA, fear a side-effect of it being an instrument for market manipulation. Most of the concerns brought up here so far have been about corporations where there’s