On 10/11/16 18:40, Steve Medin via Public wrote: > I like your point about making a customer’s permission to bypass CAA for > their service public, such as with name constraints. CAs can communicate > customer-initiated CAA bypass with a dedicated CP OID in the end entity > certs. Customer request passes through to browser visibility.
I'm not saying that isn't a small improvement, but... let's say FooCDN is not a Symantec customer and has a CAA record to show this, and a cert turns up for somename.foocdn.com issued by Symantec, with this OID in it. The OID tells an annoyed foocdn.com that you didn't check CAA - "well gee, thanks" they say. They ask you how and why you issued it, and you say "well, BigFooCDNCustomer demonstrated domain control over somename.foocdn.com last year, and so it's on our list of domains we can issue cert for them for, without checking CAA". How would FooCDN react to this explanation? One of the things Google, Amazon and others have said several times recently is that they'd like to use CAA to stop people who would otherwise be able to prove domain control from getting certs. Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
