draft-ietf-lamps-rfc6844bis-02.txt   draft-ietf-lamps-rfc6844bis-03.txt 
Network Working Group P. Hallam-Baker Network Working Group P. Hallam-Baker
Internet-Draft R. Stradling Internet-Draft Comodo Group, Inc
Obsoletes: 6844 (if approved) Comodo Group, Inc Obsoletes: 6844 (if approved) R. Stradling
Intended status: Standards Track J. Hoffman-Andrews Intended status: Standards Track Sectigo
Expires: May 8, 2019 Let's Encrypt Expires: May 10, 2019 J. Hoffman-Andrews
November 04, 2018 Let's Encrypt
November 06, 2018
DNS Certification Authority Authorization (CAA) Resource Record DNS Certification Authority Authorization (CAA) Resource Record
draft-ietf-lamps-rfc6844bis-02 draft-ietf-lamps-rfc6844bis-03
Abstract Abstract
The Certification Authority Authorization (CAA) DNS Resource Record The Certification Authority Authorization (CAA) DNS Resource Record
allows a DNS domain name holder to specify one or more Certification allows a DNS domain name holder to specify one or more Certification
Authorities (CAs) authorized to issue certificates for that domain. Authorities (CAs) authorized to issue certificates for that domain.
CAA Resource Records allow a public Certification Authority to CAA Resource Records allow a public Certification Authority to
implement additional controls to reduce the risk of unintended implement additional controls to reduce the risk of unintended
certificate mis-issue. This document defines the syntax of the CAA certificate mis-issue. This document defines the syntax of the CAA
record and rules for processing CAA records by certificate issuers. record and rules for processing CAA records by certificate issuers.
skipping to change at page 1, line 40 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 8, 2019. This Internet-Draft will expire on May 10, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 7, line 40 skipping to change at page 7, line 40
set exists, a CA MUST NOT issue a certificate unless the CA set exists, a CA MUST NOT issue a certificate unless the CA
determines that either (1) the certificate request is consistent with determines that either (1) the certificate request is consistent with
the applicable CAA Resource Record set or (2) an exception specified the applicable CAA Resource Record set or (2) an exception specified
in the relevant Certificate Policy or Certification Practices in the relevant Certificate Policy or Certification Practices
Statement applies. Statement applies.
A certificate request MAY specify more than one domain name and MAY A certificate request MAY specify more than one domain name and MAY
specify wildcard domains. Issuers MUST verify authorization for all specify wildcard domains. Issuers MUST verify authorization for all
the domains and wildcard domains specified in the request. the domains and wildcard domains specified in the request.
The search for a CAA record climbs the DNS name tree from the The search for a CAA Resource Record set climbs the DNS name tree
specified label up to but not including the DNS root '.' until CAA from the specified label up to but not including the DNS root '.'
records are found. until a CAA Resource Record set is found.
Given a request for a specific domain name X, or a request for a Given a request for a specific domain name X, or a request for a
wildcard domain name *.X, the relevant record set RelevantCAASet(X) wildcard domain name *.X, the relevant record set RelevantCAASet(X)
is determined as follows: is determined as follows:
Let CAA(X) be the record set returned by performing a CAA record Let CAA(X) be the record set returned by performing a CAA record
query for the domain name X, according to the lookup algorithm query for the domain name X, according to the lookup algorithm
specified in RFC 1034 section 4.3.2 (in particular chasing aliases). specified in RFC 1034 section 4.3.2 (in particular chasing aliases).
Let Parent(X) be the domain name produced by removing the leftmost Let Parent(X) be the domain name produced by removing the leftmost
label of X. label of X.
skipping to change at page 16, line 28 skipping to change at page 16, line 28
when used on domains that utilize many CNAMEs, and would have made it when used on domains that utilize many CNAMEs, and would have made it
difficult for hosting providers to set CAA policies on their own difficult for hosting providers to set CAA policies on their own
domains without setting potentially unwanted CAA policies on their domains without setting potentially unwanted CAA policies on their
customers' domains. This document specifies a simplified processing customers' domains. This document specifies a simplified processing
algorithm that only performs tree climbing on the domain being algorithm that only performs tree climbing on the domain being
processed, and leaves processing of CNAMEs and DNAMEs up to the CA's processed, and leaves processing of CNAMEs and DNAMEs up to the CA's
recursive resolver. recursive resolver.
This document also includes a "Deployment Considerations" section This document also includes a "Deployment Considerations" section
detailing experience gained with practical deployment of CAA detailing experience gained with practical deployment of CAA
enforcement amount CAs in the WebPKI. enforcement among CAs in the WebPKI.
This document clarifies the ABNF grammar for issue and issuewild tags This document clarifies the ABNF grammar for issue and issuewild tags
and resolves some inconsistencies with the document text. In and resolves some inconsistencies with the document text. In
particular, it specifies that parameters are separated with hyphens. particular, it specifies that parameters are separated with hyphens.
It also allows hyphens in property names. It also allows hyphens in property names.
This document also clarifies processing of a CAA RRset that is not This document also clarifies processing of a CAA RRset that is not
empty, but contains no issue or issuewild tags. empty, but contains no issue or issuewild tags.
9. IANA Considerations 9. IANA Considerations
skipping to change at page 19, line 26 skipping to change at page 19, line 26
<https://www.rfc-editor.org/info/rfc3647>. <https://www.rfc-editor.org/info/rfc3647>.
Authors' Addresses Authors' Addresses
Phillip Hallam-Baker Phillip Hallam-Baker
Comodo Group, Inc Comodo Group, Inc
Email: philliph@comodo.com Email: philliph@comodo.com
Rob Stradling Rob Stradling
Comodo Group, Inc Sectigo Ltd.
Email: rob.stradling@comodo.com Email: rob@sectigo.com
Jacob Hoffman-Andrews Jacob Hoffman-Andrews
Let's Encrypt Let's Encrypt
Email: jsha@letsencrypt.org Email: jsha@letsencrypt.org
 End of changes. 7 change blocks. 
13 lines changed or deleted 14 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/