SC46: Sunset the CAA exception for DNS operator #271
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@jsha @BenWilson-Mozilla For your review and sign-off before submitting as a Ballot. |
sleevi
changed the title
martn123446
reviewed
Jul 26, 2021
| @@ -158,6 +158,7 @@ The following Certificate Policy identifiers are reserved for use by CAs as an o | |||
| | 2020-09-30 | 7.1.4.1 | Subject and Issuer Names for all possible certification paths MUST be byte-for-byte identical. | | |||
| | 2020-09-30 | 7.1.6.4 | Subscriber Certificates MUST include a CA/Browser Form Reserved Policy Identifier in the Certificate Policies extension. | | |||
| | 2020-09-30 | 7.2 and 7.3 | All OCSP and CRL responses for Subordinate CA Certificates MUST include a meaningful reason code. | | |||
| | 2021-07-01 | 3.2.2.8 | CAA checking is no longer optional if the CA is the DNS Operator or an Affiliate. | | |||
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Purpose of Ballot
This Ballot addresses security issues with Section 3.2.2.8 regarding CAA checking.
Currently, Section 3.2.2.8 permits a CA to bypass CAA checking if the CA or an Affiliate of the CA is the DNS Operator. This term is referred to through RFC 7719, and involves a precise technical definition regarding how a zone's authoritative servers are configured and expressed (e.g. NS records). While this allows a CA to skip looking up the CAA record, it does not absolve them of the need to look up these other records on every issuance.
As practiced by CAs, this has clearly caused some confusion. For example, some CAs have incorrectly implemented policies that determine they're authoritative based on self-assertion that they are authoritative, which is not consistent with the current requirements.
To avoid these issues, this sunsets the CAA exception on 2021-07-01 for the DNS Operator, simplifying the requirements and reducing ambiguities for CAs performing validation.
The following motion has been proposed by Ryan Sleevi of Google and endorsed by Ben Wilson of Mozilla and Jacob Hoffman-Andrews of ISRG/Let's Encrypt.