| draft-ietf-lamps-rfc6844bis-02.txt | draft-ietf-lamps-rfc6844bis-03.txt | |||
|---|---|---|---|---|
| Network Working Group P. Hallam-Baker | Network Working Group P. Hallam-Baker | |||
| Internet-Draft R. Stradling | Internet-Draft Comodo Group, Inc | |||
| Obsoletes: 6844 (if approved) Comodo Group, Inc | Obsoletes: 6844 (if approved) R. Stradling | |||
| Intended status: Standards Track J. Hoffman-Andrews | Intended status: Standards Track Sectigo | |||
| Expires: May 8, 2019 Let's Encrypt | Expires: May 10, 2019 J. Hoffman-Andrews | |||
| November 04, 2018 | Let's Encrypt | |||
| November 06, 2018 | ||||
| DNS Certification Authority Authorization (CAA) Resource Record | DNS Certification Authority Authorization (CAA) Resource Record | |||
| draft-ietf-lamps-rfc6844bis-02 | draft-ietf-lamps-rfc6844bis-03 | |||
| Abstract | Abstract | |||
| The Certification Authority Authorization (CAA) DNS Resource Record | The Certification Authority Authorization (CAA) DNS Resource Record | |||
| allows a DNS domain name holder to specify one or more Certification | allows a DNS domain name holder to specify one or more Certification | |||
| Authorities (CAs) authorized to issue certificates for that domain. | Authorities (CAs) authorized to issue certificates for that domain. | |||
| CAA Resource Records allow a public Certification Authority to | CAA Resource Records allow a public Certification Authority to | |||
| implement additional controls to reduce the risk of unintended | implement additional controls to reduce the risk of unintended | |||
| certificate mis-issue. This document defines the syntax of the CAA | certificate mis-issue. This document defines the syntax of the CAA | |||
| record and rules for processing CAA records by certificate issuers. | record and rules for processing CAA records by certificate issuers. | |||
| skipping to change at page 1, line 40 ¶ | skipping to change at page 1, line 41 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 8, 2019. | This Internet-Draft will expire on May 10, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 7, line 40 ¶ | skipping to change at page 7, line 40 ¶ | |||
| set exists, a CA MUST NOT issue a certificate unless the CA | set exists, a CA MUST NOT issue a certificate unless the CA | |||
| determines that either (1) the certificate request is consistent with | determines that either (1) the certificate request is consistent with | |||
| the applicable CAA Resource Record set or (2) an exception specified | the applicable CAA Resource Record set or (2) an exception specified | |||
| in the relevant Certificate Policy or Certification Practices | in the relevant Certificate Policy or Certification Practices | |||
| Statement applies. | Statement applies. | |||
| A certificate request MAY specify more than one domain name and MAY | A certificate request MAY specify more than one domain name and MAY | |||
| specify wildcard domains. Issuers MUST verify authorization for all | specify wildcard domains. Issuers MUST verify authorization for all | |||
| the domains and wildcard domains specified in the request. | the domains and wildcard domains specified in the request. | |||
| The search for a CAA record climbs the DNS name tree from the | The search for a CAA Resource Record set climbs the DNS name tree | |||
| specified label up to but not including the DNS root '.' until CAA | from the specified label up to but not including the DNS root '.' | |||
| records are found. | until a CAA Resource Record set is found. | |||
| Given a request for a specific domain name X, or a request for a | Given a request for a specific domain name X, or a request for a | |||
| wildcard domain name *.X, the relevant record set RelevantCAASet(X) | wildcard domain name *.X, the relevant record set RelevantCAASet(X) | |||
| is determined as follows: | is determined as follows: | |||
| Let CAA(X) be the record set returned by performing a CAA record | Let CAA(X) be the record set returned by performing a CAA record | |||
| query for the domain name X, according to the lookup algorithm | query for the domain name X, according to the lookup algorithm | |||
| specified in RFC 1034 section 4.3.2 (in particular chasing aliases). | specified in RFC 1034 section 4.3.2 (in particular chasing aliases). | |||
| Let Parent(X) be the domain name produced by removing the leftmost | Let Parent(X) be the domain name produced by removing the leftmost | |||
| label of X. | label of X. | |||
| skipping to change at page 16, line 28 ¶ | skipping to change at page 16, line 28 ¶ | |||
| when used on domains that utilize many CNAMEs, and would have made it | when used on domains that utilize many CNAMEs, and would have made it | |||
| difficult for hosting providers to set CAA policies on their own | difficult for hosting providers to set CAA policies on their own | |||
| domains without setting potentially unwanted CAA policies on their | domains without setting potentially unwanted CAA policies on their | |||
| customers' domains. This document specifies a simplified processing | customers' domains. This document specifies a simplified processing | |||
| algorithm that only performs tree climbing on the domain being | algorithm that only performs tree climbing on the domain being | |||
| processed, and leaves processing of CNAMEs and DNAMEs up to the CA's | processed, and leaves processing of CNAMEs and DNAMEs up to the CA's | |||
| recursive resolver. | recursive resolver. | |||
| This document also includes a "Deployment Considerations" section | This document also includes a "Deployment Considerations" section | |||
| detailing experience gained with practical deployment of CAA | detailing experience gained with practical deployment of CAA | |||
| enforcement amount CAs in the WebPKI. | enforcement among CAs in the WebPKI. | |||
| This document clarifies the ABNF grammar for issue and issuewild tags | This document clarifies the ABNF grammar for issue and issuewild tags | |||
| and resolves some inconsistencies with the document text. In | and resolves some inconsistencies with the document text. In | |||
| particular, it specifies that parameters are separated with hyphens. | particular, it specifies that parameters are separated with hyphens. | |||
| It also allows hyphens in property names. | It also allows hyphens in property names. | |||
| This document also clarifies processing of a CAA RRset that is not | This document also clarifies processing of a CAA RRset that is not | |||
| empty, but contains no issue or issuewild tags. | empty, but contains no issue or issuewild tags. | |||
| 9. IANA Considerations | 9. IANA Considerations | |||
| skipping to change at page 19, line 26 ¶ | skipping to change at page 19, line 26 ¶ | |||
| <https://www.rfc-editor.org/info/rfc3647>. | <https://www.rfc-editor.org/info/rfc3647>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Phillip Hallam-Baker | Phillip Hallam-Baker | |||
| Comodo Group, Inc | Comodo Group, Inc | |||
| Email: philliph@comodo.com | Email: philliph@comodo.com | |||
| Rob Stradling | Rob Stradling | |||
| Comodo Group, Inc | Sectigo Ltd. | |||
| Email: rob.stradling@comodo.com | Email: rob@sectigo.com | |||
| Jacob Hoffman-Andrews | Jacob Hoffman-Andrews | |||
| Let's Encrypt | Let's Encrypt | |||
| Email: jsha@letsencrypt.org | Email: jsha@letsencrypt.org | |||
| End of changes. 7 change blocks. | ||||
| 13 lines changed or deleted | 14 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||