Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item

Michael D'Errico <> Thu, 02 June 2011 00:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E70BCE0758; Wed, 1 Jun 2011 17:12:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lgYLHiC-vZQR; Wed, 1 Jun 2011 17:12:47 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0743FE06EB; Wed, 1 Jun 2011 17:12:46 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTP id 354EB5301; Wed, 1 Jun 2011 20:14:54 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=rAT14u/PnnlT 9njGwwRAjppPf6w=; b=HwzkKa8w9pOi970ZPqVd1J45cSuKi9WkpGFjYcY6zH5T 4DEqnaDsjfXAi5klw7xzFweJob+mlQuhHqdgaH8mLV7JiWYMtRwhc0qtXJ5spZtH vpXoSCkvq/coM9nbZWmzvGkdjz0uDlOApa3lusZk9hZ6KtJhnkf4EUwGVRormxw=
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=message-id:date :from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=M3OkeU u87FlFEX4q9sMWYfPWfQZZFvzj+U3ebiMPVyqzZA8lzjIDzkq7f/TascPgoYnGQe xCq/35aHqLHJPcYHaIq41csuN8V20F2vjbN/pHfAGT5fanbljUr7EXs38F7we24v zMfSBKNtvHo0qvdk1KF7ClTJIHo+xWqKktc+U=
Received: from (unknown []) by (Postfix) with ESMTP id E2B065300; Wed, 1 Jun 2011 20:14:50 -0400 (EDT)
Received: from iMac.local (unknown []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 1637C52FF; Wed, 1 Jun 2011 20:14:46 -0400 (EDT)
Message-ID: <>
Date: Wed, 01 Jun 2011 17:12:37 -0700
From: Michael D'Errico <>
User-Agent: Thunderbird (Macintosh/20090302)
MIME-Version: 1.0
To: Paul Hoffman <>
References: <> <> <> <p06240814ca0c32f70867@> <> <p0624081bca0c624c205a@> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 553A7E4E-8CAD-11E0-BCCC-D6B6226F3D4C-38729857!
Cc:, TLS Mailing List <>
Subject: Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 Jun 2011 00:12:48 -0000

Paul Hoffman wrote:
> I support the PKIX WG adopting as a work item (wording taken from the CAA draft's text) "DNS Resource Records that allow a DNS domain name holder to specify the certificate signing certificate(s) authorized to issue certificates for that domain".

I haven't read the draft, but from the quote it appears that
this could improve the weakest part of TLS (as it is used
today in browsers) where any of the hundreds of preinstalled
root CAs is trusted to issue a certificate to any possible
domain name.

[CC'ed to the TLS working group]