Skip to content

SC-XX: Process RFC 8657 CAA Parameters #567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wthayer wants to merge 28 commits into
base: main
Choose a base branch
from
Open

SC-XX: Process RFC 8657 CAA Parameters #567

Changes from 24 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
34c69a0
Update 3.2.2.8
wthayer Jan 2, 2025
931a430
Update CPS requirement
wthayer Jan 3, 2025
7ab7800
Move to ca-defined method labels
wthayer Jan 3, 2025
1c745f6
Add 8657 compliance
wthayer Jan 3, 2025
eb6123c
Add 8555 and 8657 references
wthayer Jan 3, 2025
9966da5
Link section refs
wthayer Jan 3, 2025
102b4d8
Incorporate Clint's DNSSEC requirements
wthayer Jan 22, 2025
ce01855
Specify validationmethods format
wthayer Jan 22, 2025
5104234
Ben's 3.2.2.8 wording suggestions
wthayer Jan 24, 2025
194b9de
Reformat 3.2.2.8 and add subsections
wthayer Jan 26, 2025
6102730
Attempt to clarify dns-01 vs ca-dv-7 processing.
wthayer Jan 26, 2025
5b1be0a
Incorporate today's discussion
wthayer Feb 6, 2025
e43b1b7
dv to tbr in example
wthayer Feb 6, 2025
60b6607
Align CPS section requirement
wthayer Feb 7, 2025
72cf68b
Remove section link
wthayer Feb 7, 2025
772c9b3
Allow multiple accounturi formats
wthayer Feb 11, 2025
dc7546e
Add effective date for CPS + label format
wthayer Feb 11, 2025
9f609ff
Move 3.2.2.8 to 4.2.1.1
wthayer Mar 6, 2025
ea59002
Update 3.2.2.9 reference
wthayer Mar 6, 2025
15d5107
Revert DNSSEC requirements
wthayer Mar 6, 2025
797e82f
Fix heading levels
wthayer Mar 6, 2025
794c7f0
Move to 4.2.2 like SBRs
wthayer Mar 6, 2025
d3d28a3
Remove strict RFC 8555 compliance requirement.
wthayer Mar 27, 2025
bc33f4c
Add To-do for 3.2.2.8.1
wthayer Mar 27, 2025
9296059
Merge branch 'main' into SC-XX-Process-RFC-8657-CAA-Parameters
wthayer Dec 31, 2025
eeffb88
Merge in SC-085 changes
wthayer Dec 31, 2025
538a803
Merge Grace's CAA Parameters proposal
wthayer Dec 31, 2025
76f7f53
Remove duplicated MPIC language
wthayer Jan 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 45 additions & 23 deletions docs/BR.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -609,6 +609,10 @@ RFC7538, Request For Comments: 7538, The Hypertext Transfer Protocol Status Code

RFC8499, Request for Comments: 8499, DNS Terminology. P. Hoffman, et al. January 2019.

RFC8555, Request for Comments: 8555, Automatic Certificate Management Environment (ACME). R. Barnes, et al. March 2019.

RFC8657, Request for Comments: 8657, Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding. H. Landau, et al. November 2019.

RFC8659, Request for Comments: 8659, DNS Certification Authority Authorization (CAA) Resource Record. P. Hallam-Baker, et al. November 2019.

RFC8738, Request for Comments: 8738, Automated Certificate Management Environment (ACME) IP Identifier Validation Extension. R.B.Shoemaker, Ed. February 2020.
Expand Down Expand Up @@ -1074,28 +1078,7 @@ Databases maintained by the CA, its owner, or its affiliated companies do not qu

#### 3.2.2.8 CAA Records

As part of the Certificate issuance process, the CA MUST retrieve and process CAA records in accordance with RFC 8659 for each `dNSName` in the `subjectAltName` extension that does not contain an Onion Domain Name. These practices MUST be described in Section 4.2 of the CA's Certificate Policy and/or Certification Practice Statement, including specifying the set of Issuer Domain Names that the CA recognizes in CAA "issue" or "issuewild" records as permitting it to issue.

Some methods relied upon for validating the Applicant's ownership or control of the subject domain(s) (see [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control)) or IP address(es) (see [Section 3.2.2.5](#3225-authentication-for-an-ip-address)) to be listed in a certificate require CAA records to be retrieved and processed from additional remote Network Perspectives before Certificate issuance (see [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration)). To corroborate the Primary Network Perspective, a remote Network Perspective's CAA check response MUST be interpreted as permission to issue, regardless of whether the responses from both Perspectives are byte-for-byte identical. Additionally, a CA MAY consider the response from a remote Network Perspective as corroborating if one or both of the Perspectives experience an acceptable CAA record lookup failure, as defined in this section.

CAs MAY check CAA records at any other time.

When processing CAA records, CAs MUST process the issue, issuewild, and iodef property tags as specified in RFC 8659, although they are not required to act on the contents of the iodef property tag. Additional property tags MAY be supported, but MUST NOT conflict with or supersede the mandatory property tags set out in this document. CAs MUST respect the critical flag and not issue a certificate if they encounter an unrecognized property tag with this flag set.

If the CA issues a certificate after processing a CAA record, it MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.

RFC 8659 requires that CAs "MUST NOT issue a certificate unless the CA determines that either (1) the certificate request is consistent with the applicable CAA RRset or (2) an exception specified in the relevant CP or CPS applies." For issuances conforming to these Baseline Requirements, CAs MUST NOT rely on any exceptions specified in their CP or CPS unless they are one of the following:

* CAA checking is optional for certificates for which a Certificate Transparency Precertificate (see [Section 7.1.2.9](#7129-precertificate-profile)) was created and logged in at least two public logs, and for which CAA was checked at time of Precertificate issuance.
* CAA checking is optional for certificates issued by a Technically Constrained Subordinate CA Certificate as set out in [Section 7.1.2.3](#7123-technically-constrained-non-tls-subordinate-ca-certificate-profile) or [Section 7.1.2.5](#7125-technically-constrained-tls-subordinate-ca-certificate-profile), where the lack of CAA checking is an explicit contractual provision in the contract with the Applicant.

CAs are permitted to treat a record lookup failure as permission to issue if:

* the failure is outside the CA's infrastructure; and
* the lookup has been retried at least once; and
* the domain's zone does not have a DNSSEC validation chain to the ICANN root.

CAs MUST document potential issuances that were prevented by a CAA record in sufficient detail to provide feedback to the CA/Browser Forum on the circumstances, and SHOULD dispatch reports of such issuance requests to the contact(s) stipulated in the CAA iodef record(s), if present. CAs are not expected to support URL schemes in the iodef record other than mailto: or https:.
Refer to [Section 4.2.2.1](#4221-caa-record-processing) for CAA record processing requirements.

#### 3.2.2.9 Multi-Perspective Issuance Corroboration

Expand All @@ -1105,7 +1088,7 @@ The CA MAY use either the same set, or different sets of Network Perspectives wh

The set of responses from the relied upon Network Perspectives MUST provide the CA with the necessary information to allow it to affirmatively assess:
- a. the presence of the expected 1) Random Value, 2) Request Token, 3) IP Address, or 4) Contact Address, as required by the relied upon validation method specified in Sections 3.2.2.4 and 3.2.2.5; and
- b. the CA's authority to issue to the requested domain(s), as specified in Section 3.2.2.8.
- b. the CA's authority to issue to the requested domain(s), as specified in Section 4.2.2.1.

[Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control) and [Section 3.2.2.5](#3225-authentication-for-an-ip-address) describe the validation methods that require the use of Multi-Perspective Issuance Corroboration and how a Network Perspective can corroborate the outcomes determined by the Primary Network Perspective.

Expand Down Expand Up @@ -1236,6 +1219,45 @@ If a Delegated Third Party fulfills any of the CA's obligations under this secti

CAs SHALL NOT issue certificates containing Internal Names or Reserved IP Addresses, as such names cannot be validated according to [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control) or [Section 3.2.2.5](#3225-authentication-for-an-ip-address).

#### 4.2.2.1 CAA Record Processing

As part of the Certificate issuance process, the CA MUST retrieve and process CAA records in accordance with RFC 8659 for each `dNSName` in the `subjectAltName` extension that does not contain an Onion Domain Name. These practices MUST be described in Section 4.2 of the CA's Certificate Policy and/or Certification Practice Statement, including specifying the set of Issuer Domain Names that the CA recognizes in CAA "issue" or "issuewild" records as permitting it to issue.

When processing CAA records, CAs MUST process the issue, issuewild, and iodef property tags as specified in RFC 8659, although they are not required to act on the contents of the iodef property tag. Additional property tags MAY be supported, but MUST NOT conflict with or supersede the mandatory property tags set out in this document. CAs MUST respect the critical flag and not issue a certificate if they encounter an unrecognized property tag with this flag set.

If the CA issues a certificate after processing a CAA record, it MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater. CAs MAY check CAA records at any other time.

RFC 8659 requires that CAs "MUST NOT issue a certificate unless the CA determines that either (1) the certificate request is consistent with the applicable CAA RRset or (2) an exception specified in the relevant CP or CPS applies." For issuances conforming to these Baseline Requirements, CAs MUST NOT rely on any exceptions specified in their CP or CPS unless they are one of the following:

* CAA checking is optional for certificates for which a Certificate Transparency Precertificate (see [Section 7.1.2.9](#7129-precertificate-profile)) was created and logged in at least two public logs, and for which CAA was checked at time of Precertificate issuance.
* CAA checking is optional for certificates issued by a Technically Constrained Subordinate CA Certificate as set out in [Section 7.1.2.3](#7123-technically-constrained-non-tls-subordinate-ca-certificate-profile) or [Section 7.1.2.5](#7125-technically-constrained-tls-subordinate-ca-certificate-profile), where the lack of CAA checking is an explicit contractual provision in the contract with the Applicant.

CAs are permitted to treat a record lookup failure as permission to issue if:

* the failure is outside the CA's infrastructure; and
* the lookup has been retried at least once; and
* the CA has confirmed that the domain is "Insecure" as defined in [RFC 4035 Section 4.3](https://datatracker.ietf.org/doc/html/rfc4035#section-4.3).

CAs MUST document potential issuances that were prevented by a CAA record in sufficient detail to provide feedback to the CA/Browser Forum on the circumstances, and SHOULD dispatch reports of such issuance requests to the contact(s) stipulated in the CAA iodef record(s), if present. CAs are not expected to support URL schemes in the iodef record other than mailto: or https:.

TODO: Move 3.2.2.8.1 DNSSEC ballot language here!

###### 4.2.2.1.1 CAA Multi-Perspective Issuance Corroboration

Some methods relied upon for validating the Applicant's ownership or control of the subject domain(s) (see [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control)) or IP address(es) (see [Section 3.2.2.5](#3225-authentication-for-an-ip-address)) to be listed in a certificate require CAA records to be retrieved and processed from additional remote Network Perspectives before Certificate issuance (see [Section 3.2.2.9](#3229-multi-perspective-issuance-corroboration)). To corroborate the Primary Network Perspective, a remote Network Perspective's CAA check response MUST be interpreted as permission to issue, regardless of whether the responses from both Perspectives are byte-for-byte identical. Additionally, a CA MAY consider the response from a remote Network Perspective as corroborating if one or both of the Perspectives experience an acceptable CAA record lookup failure, as defined in this section.

###### 4.2.2.1.2 CAA Parameters

When processing CAA records, CAs SHOULD process the accounturi and validationmethods parameters as specified in RFC 8657. *Effective March 15, 2027*, when processing CAA records, CAs MUST process the accounturi and validationmethods parameters as specified in RFC 8657.

In addition, *Effective March 15, 2026*, if the CA processes the accounturi and validationmethods parameters:
* If the CA accepts certificate requests via any protocol other than the ACME protocol, the CA MUST define the supported format(s) of the accounturi in Section 4.2 of their CP and/or CPS.
* If the CA accepts certificate requests via any protocol other than the ACME protocol, the CA MUST interpret and process validationmethods labels formed by concatenating the string ‘ca-tbr-’ with the BR 3.2.2.4 subsection number, e.g. ‘ca-tbr-7’ represents the DNS method described in TLS BR 3.2.2.4.7. If a CA performs domain validation using a mechanism that can be represented by multiple labels (e.g. 'dns-01' and 'ca-tbr-7'), the CA SHOULD accept any of the labels as granting permission to issue.
Copy link

@orangepizza orangepizza Apr 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Can 'http-01' considered to represent 3.2.2.4.18? while it'd strictly mean 3.2.2.4.19, it's reasonable to assume user meant any http update challenges.
  2. Can ACME running CA use 'ca-tbr-19' as permission to use http-01 challenge? this paragraph doesn't apply if a CA doesn't offer something else, isn't it?

Copy link
Contributor

@aarongable aarongable Apr 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Can 'http-01' considered to represent 3.2.2.4.18? while it'd strictly mean 3.2.2.4.19, it's reasonable to assume user meant any http update challenges.

No, 3.2.2.4.18 and 3.2.2.4.19 are in fact different validation methods (the expect the token to be in a different location and to look different) so permission to use one method cannot be interpreted as permission to use the other.

  1. Can ACME running CA use 'ca-tbr-19' as permission to use http-01 challenge? this paragraph doesn't apply if a CA doesn't offer something else, isn't it?

Yes, this paragraph simply says that non-ACME CAs MUST respect those designations; therefore an ACME CA MAY also respect them, as long as it appropriately documents that fact in its CPS.


###### 4.2.2.1.3 DNSSEC Validation of CAA Records

As an explicit exception to RFC 8657, CAs SHOULD perform DNSSEC validation to the ICANN DNSSEC root trust anchor when querying for and processing CAA records.

### 4.2.3 Time to process certificate applications

No stipulation.
Expand Down
Loading