Re: [cabfpub] Draft CAA motion (3)

2017-02-08 Thread Gervase Markham via Public
On 13/01/17 17:36, Ryan Sleevi wrote: > On Fri, Jan 13, 2017 at 7:23 AM, Gervase Markham via Public > > wrote: > > > Text proposals welcome. > > CAs MUST support the issue, issuewild, and iodef property tags. > Additional property tags MAY be

Re: [cabfpub] Draft CAA motion (3)

2017-01-19 Thread Gervase Markham via Public
On 19/01/17 16:11, Steve Medin wrote: > Gerv, in the event that a domain does not have CAA, would you be > willing to allow CAs to cache that result for longer than one hour? > You presently offer TTL or 1 hour, whichever is greater, when CAA is > present. Might a day be reasonable, since the

Re: [cabfpub] Draft CAA motion (3)

2017-01-19 Thread Doug Beattie via Public
> -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Thursday, January 19, 2017 8:33 AM > To: CA/Browser Forum Public Discussion List <public@cabforum.org> > Cc: Doug Beattie <doug.beat...@globalsign.com> > Subject: Re: [cabfpub] D

Re: [cabfpub] Draft CAA motion (3)

2017-01-19 Thread Gervase Markham via Public
On 19/01/17 13:25, Doug Beattie via Public wrote: > What did you intend by “adverse CAA records”? If a CA runs across a > CAA record that identifies other CAs that are authorized to issue but > not them, I don’t see a reason to report on that to CABF as you > suggested in the proposed ballot.

Re: [cabfpub] Draft CAA motion (3)

2017-01-19 Thread Doug Beattie via Public
...@cabforum.org] On Behalf Of Gervase Markham via Public Sent: Thursday, January 12, 2017 9:25 AM To: CABFPub <public@cabforum.org> Cc: Gervase Markham <g...@mozilla.org> Subject: [cabfpub] Draft CAA motion (3) CAs MUST document issuances that were prevented by an adverse CAA record in suffi

Re: [cabfpub] Draft CAA motion (3)

2017-01-16 Thread Gervase Markham via Public
On 13/01/17 22:32, Steve Medin wrote: > Pending questions handled by an explanatory new angle. Since EV > Certificate Approvers and their non-EV counterparts are implemented > in Enterprise RA accounts as 2FA-credentialed issuance portal > administrators with access to a pre-vetted collection of

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Steve Medin via Public
. > -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Friday, January 13, 2017 5:25 AM > To: CA/Browser Forum Public Discussion List <public@cabforum.org> > Cc: Steve Medin <steve_me...@symantec.com> > Subject: Re: [cabfpub] Draft CAA mot

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Ryan Sleevi via Public
blic-boun...@cabforum.org] *On Behalf Of *Ryan > Sleevi via Public > *Sent:* Friday, January 13, 2017 4:11 PM > *To:* Jeremy Rowley <jeremy.row...@digicert.com> > *Cc:* Ryan Sleevi <sle...@google.com>; CA/Browser Forum Public Discussion > List <public@cabforum.org> >

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Dean Coclin via Public
, 2017 4:11 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: Ryan Sleevi <sle...@google.com>; CA/Browser Forum Public Discussion List <public@cabforum.org> Subject: Re: [cabfpub] Draft CAA motion (3) Jeremy, Was it intentional that you avoided answering on behalf of DigiCe

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Jeremy Rowley via Public
row...@digicert.com> > Cc: CA/Browser Forum Public Discussion List <public@cabforum.org <mailto:public@cabforum.org> > Subject: Re: [cabfpub] Draft CAA motion (3) I would prefer if we base our time decisions on actual data, not hypothetical data. Put differently: Is 6 m

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Jeremy Rowley via Public
n List <public@cabforum.org> Subject: Re: [cabfpub] Draft CAA motion (3) I would prefer if we base our time decisions on actual data, not hypothetical data. Put differently: Is 6 months sufficient for DigiCert to implement? Is it sufficient for Entrust? Those are things

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Ryan Sleevi via Public
On Fri, Jan 13, 2017 at 7:23 AM, Gervase Markham via Public < public@cabforum.org> wrote: > On 13/01/17 14:55, Doug Beattie wrote: > > I'd suggest we include exactly what is required in the ballot and if > > the RFC changes then we have a new ballot to specify the changes and > > effective dates.

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Ryan Sleevi via Public
Reposting on Jurgen's behalf, because this does add useful information to the discussion of timing and what CAs other priorities are, which helps make sure browsers (like us) are cognizant of the impact :) On Fri, Jan 13, 2017 at 12:46 AM, Jürgen Brauckmann wrote: > Am

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Gervase Markham via Public
On 13/01/17 14:55, Doug Beattie wrote: > I'd suggest we include exactly what is required in the ballot and if > the RFC changes then we have a new ballot to specify the changes and > effective dates. Well, it's not the RFC that would change - if it was, that would be simpler :-) It's the

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Doug Beattie via Public
> -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > > On 13/01/17 13:13, Doug Beattie wrote: > > As it stands, this means that CAs must support Issuer Critical, issue > > and issuewild today and then to support other Property Tags as they > > are added (without an

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Gervase Markham via Public
On 13/01/17 13:13, Doug Beattie wrote: > As it stands, this means that CAs must support Issuer Critical, issue > and issuewild today and then to support other Property Tags as they are > added (without an indication of when the need to be supported). The > spec also says that you must check the

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Gervase Markham via Public
Hi Bruce, On 12/01/17 18:28, Bruce Morton wrote: > There needs to be some consideration for existing agreements with > Subscribers. Is this the issue you raised in previous discussions, or a different issue? It seems the same, but I want to make sure. If it is the same, as noted in the comments

Re: [cabfpub] Draft CAA motion (3)

2017-01-12 Thread Ryan Sleevi via Public
On Thu, Jan 12, 2017 at 1:15 PM, Bruce Morton < bruce.mor...@entrustdatacard.com> wrote: > > How often does that scenario happen - that you're issuing a server > certificate via ceremony (as opposed to an intermediate or root > certificate)? > > *[BM] We have a model where about 20-30 certificates

Re: [cabfpub] Draft CAA motion (3)

2017-01-12 Thread Bruce Morton via Public
Hi Ryan, responses below. Thanks, Bruce. From: Ryan Sleevi [mailto:sle...@google.com] Sent: Thursday, January 12, 2017 3:39 PM To: CA/Browser Forum Public Discussion List <public@cabforum.org> Cc: Bruce Morton <bruce.mor...@entrustdatacard.com> Subject: Re: [cabfpub] Draft C

Re: [cabfpub] Draft CAA motion (3)

2017-01-12 Thread Steve Medin via Public
Public Sent: Thursday, January 12, 2017 1:28 PM To: CA/Browser Forum Public Discussion List <public@cabforum.org> Cc: Bruce Morton <bruce.mor...@entrustdatacard.com> Subject: Re: [cabfpub] Draft CAA motion (3) Hi Gerv, Thanks for pulling this together and addressing Jody’s request a

[cabfpub] Draft CAA motion (3)

2017-01-12 Thread Gervase Markham via Public
Hi everyone, As we are trying to get ballots ready for when the ballot reforms are done, here's a third version of the draft motion to make CAA mandatory. Changes over version 2 are: * Add a further exception: "CAA checking is optional if the domain's DNS is operated by the CA or an Affiliate."