On Fri, Mar 15, 2019 at 05:40:29PM -0400, Jan Schaumann via dev-security-policy wrote: > Ryan Sleevi <r...@sleevi.com> wrote: > > That is, an issue/issuewild parameter tag with a CA-specific property > > defined by the CA/Browser Forum (or by IETF) that detailed specific > > provisions for certain CNAMEs children. > > Hmm, maybe something like > > example.com CAA 0 issue "digicert.com" > example.com CAA 0 override "someapp.example.com issue:letsencrypt.org" > > would mean that Digicert can issue certs for anything under example.com > with the exception of 'someapp.example.com', for which only Let's > Encrypt can issue a cert.
I've read through your posts on this topic several times, and I still don't understand the problem you're trying to solve. If you point a CNAME at someone else, then you're delegating to them control of that name. If they set CAA records on the CNAME target (or if they don't), and those CAA records (or lack thereof) do not represent a functioning configuration, you work with them to change it. I speak on this issue not from a theoretical perspective -- I work for a SaaS provider which provides CNAME targets to its customers, and I built their certificate issuance pipeline, which uses LE for certificate issuance by default, and I built it to manage CAA records on the CNAME target to enforce that. For those (very few) customers who insist on BYO certs, we adjust the CAA record we publish to suit their requirements (remove it or point to another CA, as required). So far, several years in (we've been running this system for longer than CAA checking has been mandatory), this arrangement has managed to satisfy all of our customers, without any desire from anyone for alternate strategies. In fact, I think this "override" mechanism would be *worse* than the current situation, as it would be separating operational control from the declaration of policy. What if whoever runs the site behind `someapp.example.com` changes from LE to Honest Achmed? They've got to contact all those customers who have setup "override" records and ask them to change those records. I can assure you that "ask customers to change their DNS records" comes a very close second to "perform a self-appendectomy without anaesthetic" on the list of things I really, really never want to have to do. - Matt -- <FreeFrag> The most secure computer in the world is one not connected to the internet. Thats why I recommend Telstra ADSL. -- bash.org/?168859 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy