On Fri, Mar 15, 2019 at 05:40:29PM -0400, Jan Schaumann via dev-security-policy
wrote:
> Ryan Sleevi <r...@sleevi.com> wrote:
> > That is, an issue/issuewild parameter tag with a CA-specific property
> > defined by the CA/Browser Forum (or by IETF) that detailed specific
> > provisions for certain CNAMEs children.
>
> Hmm, maybe something like
>
> example.com CAA 0 issue "digicert.com"
> example.com CAA 0 override "someapp.example.com issue:letsencrypt.org"
>
> would mean that Digicert can issue certs for anything under example.com
> with the exception of 'someapp.example.com', for which only Let's
> Encrypt can issue a cert.
I've read through your posts on this topic several times, and I still don't
understand the problem you're trying to solve. If you point a CNAME at
someone else, then you're delegating to them control of that name. If they
set CAA records on the CNAME target (or if they don't), and those CAA records
(or lack thereof) do not represent a functioning configuration, you work
with them to change it.
I speak on this issue not from a theoretical perspective -- I work for a
SaaS provider which provides CNAME targets to its customers, and I built
their certificate issuance pipeline, which uses LE for certificate issuance
by default, and I built it to manage CAA records on the CNAME target to
enforce that. For those (very few) customers who insist on BYO certs, we
adjust the CAA record we publish to suit their requirements (remove it or
point to another CA, as required).
So far, several years in (we've been running this system for longer than CAA
checking has been mandatory), this arrangement has managed to satisfy all of
our customers, without any desire from anyone for alternate strategies.
In fact, I think this "override" mechanism would be *worse* than the current
situation, as it would be separating operational control from the
declaration of policy. What if whoever runs the site behind
`someapp.example.com` changes from LE to Honest Achmed? They've got to
contact all those customers who have setup "override" records and ask them
to change those records. I can assure you that "ask customers to change
their DNS records" comes a very close second to "perform a self-appendectomy
without anaesthetic" on the list of things I really, really never want to
have to do.
- Matt
--
<FreeFrag> The most secure computer in the world is one not connected to the
internet. Thats why I recommend Telstra ADSL.
-- bash.org/?168859
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
