BRs: Clarify whether 3.2.2.8 can be delegated #274
Labels
Comments
sleevi
added
enhancement
baseline-requirements
|
Let´s wait for PAG outcome |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CA/B Forum Ballot 187 made CAA checking Mandatory for CAs, a revision of Ballot 125 which had CAs document their CAA policies.
CA/B Forum Ballot 204, adopted 4 months after, forbade CAs from delegating the performance of 3.2.2.4 and 3.2.2.5 (DNS and IP validation).
@CBonnell raised on the management list that this suggests that CAs are allowed to delegate part, or all, of the CAA validation to third parties, as this is located within section 3.2.2.8, which Ballot 204 does not speak to.
Ballot 187 is structured in a way to describe when a CA may choose to not check CAA (i.e. if doing as part of a precert/final cert issuance and the precert was checked and logged, if issuing from a technically constrained sub CA, or if an affiliate of the CA, notwithstanding draft ballot SC26). However, it doesn't explicitly address the delegation to a third-party (e.g. a non-technically constrained sub-CA) and how that performance is measured.
Given the critical security importance of 3.2.2.8, which was the reason and rationale for not allowing 3.2.2.4/3.2.2.5 to be delegated, it seems important to clarify whether or not 3.2.2.8 can or should be delegated to third parties.
The text was updated successfully, but these errors were encountered: