V1.00.128.2025.06.03
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -1,5 +1,4 @@
|
|||||||
<?xml version="1.0" encoding="utf-8"?>
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
<?xml-model href="rfc7991bis.rnc"?>
|
|
||||||
|
|
||||||
<!DOCTYPE rfc [
|
<!DOCTYPE rfc [
|
||||||
<!ENTITY nbsp " ">
|
<!ENTITY nbsp " ">
|
||||||
@@ -34,7 +33,7 @@
|
|||||||
<address>
|
<address>
|
||||||
<postal>
|
<postal>
|
||||||
<city>Lisboa</city>
|
<city>Lisboa</city>
|
||||||
<country>PT</country>
|
<country>Portugal</country>
|
||||||
</postal>
|
</postal>
|
||||||
<phone>+1 (202) 992 1702</phone>
|
<phone>+1 (202) 992 1702</phone>
|
||||||
<email>rfc.editor@coresecret.eu</email>
|
<email>rfc.editor@coresecret.eu</email>
|
||||||
@@ -51,7 +50,6 @@
|
|||||||
<keyword>CATALOG</keyword>
|
<keyword>CATALOG</keyword>
|
||||||
<keyword>CT</keyword>
|
<keyword>CT</keyword>
|
||||||
<keyword>CT-Log</keyword>
|
<keyword>CT-Log</keyword>
|
||||||
<keyword>DNS</keyword>
|
|
||||||
<keyword>Log</keyword>
|
<keyword>Log</keyword>
|
||||||
<keyword>RR</keyword>
|
<keyword>RR</keyword>
|
||||||
<keyword>URI-Binding</keyword>
|
<keyword>URI-Binding</keyword>
|
||||||
@@ -89,23 +87,10 @@
|
|||||||
The author gratefully accepts pull requests.
|
The author gratefully accepts pull requests.
|
||||||
The author's PGP key is available at:
|
The author's PGP key is available at:
|
||||||
<eref target="https://keys.openpgp.org/vks/v1/by-fingerprint/7A8341E5F1570319D80F4418A11E88519A3D8CF6">
|
<eref target="https://keys.openpgp.org/vks/v1/by-fingerprint/7A8341E5F1570319D80F4418A11E88519A3D8CF6">
|
||||||
7A83 41E5 F157 0319 D80F 4418 A11E 8851 9A3D 8CF6</eref> <xref target="URI2" format="none">[2]</xref>.
|
7A83 41E5 F157 0319 D80F 4418 A11E 8851 9A3D 8CF6
|
||||||
</t>
|
|
||||||
<dl newline="true">
|
|
||||||
<dt>The list of current Internet-Drafts can be accessed in plain text at:</dt>
|
|
||||||
<dd>
|
|
||||||
<eref target="https://www.ietf.org/1id-abstracts.html">https://www.ietf.org/1id-abstracts.html</eref>
|
|
||||||
</dd>
|
|
||||||
<dt>The list of current Internet-Drafts can also be accessed at:</dt>
|
|
||||||
<dd>
|
|
||||||
<eref target="https://datatracker.ietf.org/drafts/current/">https://datatracker.ietf.org/drafts/current/
|
|
||||||
</eref>
|
</eref>
|
||||||
</dd>
|
<xref target="URI2" format="none">[2]</xref>.
|
||||||
<dt>The list of Internet-Draft Shadow Directories can be accessed at:</dt>
|
</t>
|
||||||
<dd>
|
|
||||||
<eref target="https://www.ietf.org/shadow.html">https://www.ietf.org/shadow.html</eref>
|
|
||||||
</dd>
|
|
||||||
</dl>
|
|
||||||
</note>
|
</note>
|
||||||
</front>
|
</front>
|
||||||
|
|
||||||
@@ -114,26 +99,39 @@
|
|||||||
<name>Introduction</name>
|
<name>Introduction</name>
|
||||||
<section>
|
<section>
|
||||||
<name>Certification Authority Authorization</name>
|
<name>Certification Authority Authorization</name>
|
||||||
<t>Certification Authority Authorization (CAA) <xref target="RFC8659"/> RRs empower domain owners
|
<t>Certification Authority Authorization (CAA)
|
||||||
|
<xref target="RFC8659"/>
|
||||||
|
RRs empower domain owners
|
||||||
to specify, via DNS<xref target="RFC1035"/>, which Certificate Authorities (CAs) in a
|
to specify, via DNS<xref target="RFC1035"/>, which Certificate Authorities (CAs) in a
|
||||||
Public Key Infrastructure <xref target="RFC5280"/> may or may not issue Certificates for their domains.
|
Public Key Infrastructure
|
||||||
|
<xref target="RFC5280"/>
|
||||||
|
may or may not issue Certificates for their domains.
|
||||||
</t>
|
</t>
|
||||||
<t>Similarly, the
|
<t>Similarly, the
|
||||||
CAA RR Extensions for Account URI and Automatic Certificate Management Environment
|
CAA RR Extensions for Account URI and Automatic Certificate Management Environment
|
||||||
(ACME) Method Binding <xref target="RFC8657"/> extend the CAA grammar to introduce additional parameters
|
(ACME) Method Binding
|
||||||
|
<xref target="RFC8657"/>
|
||||||
|
extend the CAA grammar to introduce additional parameters
|
||||||
for CAA RRs. These extensions enable or disable specified validation methods and bind a domain to
|
for CAA RRs. These extensions enable or disable specified validation methods and bind a domain to
|
||||||
specific accounts authorized to submit Certificate Signing Requests (CSRs) and retrieve end-entity
|
specific accounts authorized to submit Certificate Signing Requests (CSRs) and retrieve end-entity
|
||||||
Certificates.
|
Certificates.
|
||||||
</t>
|
</t>
|
||||||
<t>Additionally, the Certification Authority Authorization (CAA) processing for Email Addresses
|
<t>Additionally, the Certification Authority Authorization (CAA) processing for Email Addresses
|
||||||
<xref target="RFC9495"/> extends the established CAA RR mechanism by introducing a new property,
|
<xref target="RFC9495"/>
|
||||||
"issuemail", to apply CAA controls to the issuance of S/MIME <xref target="RFC8551"/> Certificates.
|
extends the established CAA RR mechanism by introducing a new property,
|
||||||
|
"issuemail", to apply CAA controls to the issuance of S/MIME
|
||||||
|
<xref target="RFC8551"/>
|
||||||
|
Certificates.
|
||||||
</t>
|
</t>
|
||||||
</section>
|
</section>
|
||||||
<section>
|
<section>
|
||||||
<name>Certificate Transparency</name>
|
<name>Certificate Transparency</name>
|
||||||
<t>Furthermore, Certificate Transparency (CT) Version 1 <xref target="RFC6962"/> (still in use), and
|
<t>Furthermore, Certificate Transparency (CT) Version 1
|
||||||
Certificate Transparency (CT) Version 2 <xref target="RFC9162"/> (which obsoletes RFC6962),
|
<xref target="RFC6962"/>
|
||||||
|
(still in use), and
|
||||||
|
Certificate Transparency (CT) Version 2
|
||||||
|
<xref target="RFC9162"/>
|
||||||
|
(which obsoletes RFC6962),
|
||||||
provide public, append-only ledgers of issued certificates, enabling domain owners and relying parties
|
provide public, append-only ledgers of issued certificates, enabling domain owners and relying parties
|
||||||
to detect misissuance.
|
to detect misissuance.
|
||||||
</t>
|
</t>
|
||||||
@@ -160,7 +158,8 @@
|
|||||||
Each CAA <strong>"issuect"</strong> RR names a single URI for log submission and retrieval,
|
Each CAA <strong>"issuect"</strong> RR names a single URI for log submission and retrieval,
|
||||||
specifies the time window during which whitelisted CAs may or must submit entries, and enumerates the
|
specifies the time window during which whitelisted CAs may or must submit entries, and enumerates the
|
||||||
authorized CT-Logs Public Keys.
|
authorized CT-Logs Public Keys.
|
||||||
Because <strong>"issuect"</strong> lives alongside existing CAA tags in a DNSSEC <xref target="RFC9364"/>
|
Because <strong>"issuect"</strong> lives alongside existing CAA tags in a DNSSEC
|
||||||
|
<xref target="RFC9364"/>
|
||||||
protected zone CAs can discover, validate, and enforce CT-Log policies without additional
|
protected zone CAs can discover, validate, and enforce CT-Log policies without additional
|
||||||
out-of-band trust anchors.
|
out-of-band trust anchors.
|
||||||
To enforce secure-by-default behavior, <strong>"issuect"</strong> supports explicit
|
To enforce secure-by-default behavior, <strong>"issuect"</strong> supports explicit
|
||||||
@@ -178,17 +177,22 @@
|
|||||||
including its
|
including its
|
||||||
<eref
|
<eref
|
||||||
target="https://github.com/google/certificate-transparency-community-site/blob/master/docs/google/known-logs.md">
|
target="https://github.com/google/certificate-transparency-community-site/blob/master/docs/google/known-logs.md">
|
||||||
Known CT-Logs</eref> <xref target="URI3" format="none">[3]</xref>, and a
|
Known CT-Logs
|
||||||
|
</eref>
|
||||||
|
<xref target="URI3" format="none">[3]</xref>, and a
|
||||||
<eref target="https://www.gstatic.com/ct/log_list/v3/log_list.json">
|
<eref target="https://www.gstatic.com/ct/log_list/v3/log_list.json">
|
||||||
JSON list of Logs compliant with Chrome's CT Policy</eref>
|
JSON list of Logs compliant with Chrome's CT Policy
|
||||||
|
</eref>
|
||||||
<xref target="URI4" format="none">[4]</xref>.
|
<xref target="URI4" format="none">[4]</xref>.
|
||||||
|
|
||||||
Apple similarly publishes its own CT-Truststore, detailed in its
|
Apple similarly publishes its own CT-Truststore, detailed in its
|
||||||
<eref target="https://support.apple.com/en-us/103214">
|
<eref target="https://support.apple.com/en-us/103214">
|
||||||
Certificate Transparency Policy
|
Certificate Transparency Policy
|
||||||
</eref> <xref target="URI5" format="none">[5]</xref>, and a
|
</eref>
|
||||||
|
<xref target="URI5" format="none">[5]</xref>, and a
|
||||||
<eref target="https://valid.apple.com/ct/log_list/current_log_list.json">
|
<eref target="https://valid.apple.com/ct/log_list/current_log_list.json">
|
||||||
JSON list of Logs meeting Apple's CT requirements</eref>
|
JSON list of Logs meeting Apple's CT requirements
|
||||||
|
</eref>
|
||||||
<xref target="URI6" format="none">[6]</xref>.
|
<xref target="URI6" format="none">[6]</xref>.
|
||||||
</t>
|
</t>
|
||||||
<t>By republishing and allowlisting selected entries from these audited CT-Log lists,
|
<t>By republishing and allowlisting selected entries from these audited CT-Log lists,
|
||||||
@@ -214,7 +218,8 @@
|
|||||||
requirements alongside CA Authorization (CAA) over a second secured channel.
|
requirements alongside CA Authorization (CAA) over a second secured channel.
|
||||||
It mirrors the approach of SMTP MTA-STS<xref target="RFC8461"/>, using DNS TXT RR, a specific
|
It mirrors the approach of SMTP MTA-STS<xref target="RFC8461"/>, using DNS TXT RR, a specific
|
||||||
subdomain and an HTTPS only served policy file.
|
subdomain and an HTTPS only served policy file.
|
||||||
A special DNS TXT record <strong>"_caa-ct-sts"</strong> <xref target="caa_ct_sts_txt"/>
|
A special DNS TXT record <strong>"_caa-ct-sts"</strong>
|
||||||
|
<xref target="caa_ct_sts_txt"/>
|
||||||
lets clients discover the existence and version of the policy, and a policy file,
|
lets clients discover the existence and version of the policy, and a policy file,
|
||||||
retrieved from "<em>https://caa-ct-sts.<domain>/.well-known/caa-ct-sts.txt</em>",
|
retrieved from "<em>https://caa-ct-sts.<domain>/.well-known/caa-ct-sts.txt</em>",
|
||||||
contains structured rules in a canonical key:value format.
|
contains structured rules in a canonical key:value format.
|
||||||
@@ -229,7 +234,8 @@
|
|||||||
caching behavior<xref target="dns_ttl"/>, and fallback,<xref target="dnssec_fallback"/>,
|
caching behavior<xref target="dns_ttl"/>, and fallback,<xref target="dnssec_fallback"/>,
|
||||||
strategies for non-DNSSEC zones are addressed.
|
strategies for non-DNSSEC zones are addressed.
|
||||||
Throughout this document, the framework is referred to by the recursive acronym
|
Throughout this document, the framework is referred to by the recursive acronym
|
||||||
<strong>CATALOG</strong> (CATALOG Authorization Transparency And Log Overlay for Graph-based DNS).
|
<strong>CATALOG</strong>
|
||||||
|
(CATALOG Authorization Transparency And Log Overlay for Graph-based DNS).
|
||||||
</t>
|
</t>
|
||||||
<t>The following sections specify the complete syntax and semantics of both of the
|
<t>The following sections specify the complete syntax and semantics of both of the
|
||||||
CAA <strong>"issuect"</strong> Property Tag,<xref target="caa_property"/>, and
|
CAA <strong>"issuect"</strong> Property Tag,<xref target="caa_property"/>, and
|
||||||
@@ -250,8 +256,11 @@
|
|||||||
<strong>"MUST"</strong>, <strong>"MUST NOT"</strong>, <strong>"REQUIRED"</strong>, <strong>"SHALL"</strong>,
|
<strong>"MUST"</strong>, <strong>"MUST NOT"</strong>, <strong>"REQUIRED"</strong>, <strong>"SHALL"</strong>,
|
||||||
<strong>"SHALL NOT"</strong>, <strong>"SHOULD"</strong>, <strong>"SHOULD NOT"</strong>,
|
<strong>"SHALL NOT"</strong>, <strong>"SHOULD"</strong>, <strong>"SHOULD NOT"</strong>,
|
||||||
<strong>"RECOMMENDED"</strong>, <strong>"NOT RECOMMENDED"</strong>, <strong>"MAY"</strong>, and
|
<strong>"RECOMMENDED"</strong>, <strong>"NOT RECOMMENDED"</strong>, <strong>"MAY"</strong>, and
|
||||||
<strong>"OPTIONAL"</strong> in this document are to be interpreted as described in
|
<strong>"OPTIONAL"</strong>
|
||||||
BCP 14 <xref target="RFC2119"/>, <xref target="RFC8174"/> when, and only when,
|
in this document are to be interpreted as described in
|
||||||
|
BCP 14<xref target="RFC2119"/>,
|
||||||
|
<xref target="RFC8174"/>
|
||||||
|
when, and only when,
|
||||||
they appear in all capitals, as shown here.
|
they appear in all capitals, as shown here.
|
||||||
</t>
|
</t>
|
||||||
</section>
|
</section>
|
||||||
@@ -407,7 +416,8 @@
|
|||||||
<section>
|
<section>
|
||||||
<name>CAA Syntax conformity</name>
|
<name>CAA Syntax conformity</name>
|
||||||
<t>All syntax introduced in this draft is strictly in accordance with the CAA RR framework defined in
|
<t>All syntax introduced in this draft is strictly in accordance with the CAA RR framework defined in
|
||||||
<xref target="RFC8659"/>, and <xref target="RFC8657"/>
|
<xref target="RFC8659"/>, and
|
||||||
|
<xref target="RFC8657"/>
|
||||||
when and only when <strong>NOT</strong> stated
|
when and only when <strong>NOT</strong> stated
|
||||||
otherwise.
|
otherwise.
|
||||||
</t>
|
</t>
|
||||||
@@ -420,7 +430,8 @@
|
|||||||
<name>CAA "issuect" Property Tag Definitions</name>
|
<name>CAA "issuect" Property Tag Definitions</name>
|
||||||
<section anchor="issuect">
|
<section anchor="issuect">
|
||||||
<name>CAA "issuect" Property Tag and its Parameters Syntax</name>
|
<name>CAA "issuect" Property Tag and its Parameters Syntax</name>
|
||||||
<t>This document defines the CAA <strong>"issuect"</strong> Property Tag.</t>
|
<t>This document defines the CAA <strong>"issuect"</strong> Property Tag.
|
||||||
|
</t>
|
||||||
<t>The presence of one or more CAA <strong>"issuect"</strong> Properties in the relevant
|
<t>The presence of one or more CAA <strong>"issuect"</strong> Properties in the relevant
|
||||||
CAA Resource Record Set (RRSet) indicates that the domain is requesting that
|
CAA Resource Record Set (RRSet) indicates that the domain is requesting that
|
||||||
Certification Authorities restrict the submission of Certificates to specified
|
Certification Authorities restrict the submission of Certificates to specified
|
||||||
@@ -431,10 +442,14 @@
|
|||||||
</t>
|
</t>
|
||||||
<t>The production rules for</t>
|
<t>The production rules for</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li><strong>"ALPHA"</strong>, </li>
|
<li><strong>"ALPHA"</strong>,
|
||||||
<li><strong>"DIGIT"</strong>,</li>
|
</li>
|
||||||
<li><strong>"DQUOTE"</strong>,</li>
|
<li><strong>"DIGIT"</strong>,
|
||||||
<li><strong>"SP"</strong>, </li>
|
</li>
|
||||||
|
<li><strong>"DQUOTE"</strong>,
|
||||||
|
</li>
|
||||||
|
<li><strong>"SP"</strong>,
|
||||||
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
<t>are defined in <eref target="https://rfc-editor.org/rfc/rfc5234#appendix-B.1">Appendix B.1</eref> of
|
<t>are defined in <eref target="https://rfc-editor.org/rfc/rfc5234#appendix-B.1">Appendix B.1</eref> of
|
||||||
<xref target="RFC5234"/>.
|
<xref target="RFC5234"/>.
|
||||||
@@ -447,11 +462,11 @@
|
|||||||
<name>CAA "issuect" Property Tag ABNF Syntax</name>
|
<name>CAA "issuect" Property Tag ABNF Syntax</name>
|
||||||
<sourcecode type="abnf" markers="false">
|
<sourcecode type="abnf" markers="false">
|
||||||
<![CDATA[
|
<![CDATA[
|
||||||
ALPHA = %x41-5A / %x61-7A ; A–Z / a–z
|
ALPHA = %x41-5A / %x61-7A ; A-Z / a-z
|
||||||
DIGIT = %x30-39 ; 0–9
|
DIGIT = %x30-39 ; 0-9
|
||||||
SP = %x20 ; SPACE
|
SP = %x20 ; SPACE
|
||||||
DQUOTE = %x22 ; "
|
DQUOTE = %x22 ; "
|
||||||
HEXDIG = DIGIT / %x41-46 / %x61-66 ; 0–9 / A–F / a–f
|
HEXDIG = DIGIT / %x41-46 / %x61-66 ; 0-9 / A-F / a-f
|
||||||
|
|
||||||
issuect-property = "issuect" SP DQUOTE issuect-value DQUOTE
|
issuect-property = "issuect" SP DQUOTE issuect-value DQUOTE
|
||||||
|
|
||||||
@@ -507,7 +522,9 @@ b64-string = 1*( b64-char / "=" )
|
|||||||
<dd>: The parameter name desc, followed by "=", followed by a desc-text value enclosed in single quotes.</dd>
|
<dd>: The parameter name desc, followed by "=", followed by a desc-text value enclosed in single quotes.</dd>
|
||||||
|
|
||||||
<dt>desc-text</dt>
|
<dt>desc-text</dt>
|
||||||
<dd>: A string of printable ASCII characters (letters, digits, and symbols), excluding the single-quote character (').</dd>
|
<dd>: A string of printable ASCII characters (letters, digits, and symbols), excluding the single-quote character
|
||||||
|
(').
|
||||||
|
</dd>
|
||||||
|
|
||||||
<dt>validfrom</dt>
|
<dt>validfrom</dt>
|
||||||
<dd>: The parameter name validfrom, followed by "=", followed by a date-time value.</dd>
|
<dd>: The parameter name validfrom, followed by "=", followed by a date-time value.</dd>
|
||||||
@@ -528,7 +545,8 @@ b64-string = 1*( b64-char / "=" )
|
|||||||
<dd>: The parameter name cturi, followed by "=", followed by an uri.</dd>
|
<dd>: The parameter name cturi, followed by "=", followed by an uri.</dd>
|
||||||
|
|
||||||
<dt>uri</dt>
|
<dt>uri</dt>
|
||||||
<dd>: An absolute URI as defined by <xref target="RFC3986"/>.</dd>
|
<dd>: An absolute URI as defined by<xref target="RFC3986"/>.
|
||||||
|
</dd>
|
||||||
|
|
||||||
<dt>logid-param</dt>
|
<dt>logid-param</dt>
|
||||||
<dd>: The parameter name logid, followed by "=", followed by a b64-string enclosed in single quotes.</dd>
|
<dd>: The parameter name logid, followed by "=", followed by a b64-string enclosed in single quotes.</dd>
|
||||||
@@ -540,7 +558,9 @@ b64-string = 1*( b64-char / "=" )
|
|||||||
<dd>: One or more Base64 characters (b64-char), optionally ending with "=" padding.</dd>
|
<dd>: One or more Base64 characters (b64-char), optionally ending with "=" padding.</dd>
|
||||||
|
|
||||||
<dt>b64-char</dt>
|
<dt>b64-char</dt>
|
||||||
<dd>: A single character drawn from uppercase and lowercase letters (A – Z, a–z), digits (0–9), plus ("+"), slash ("/"), or hyphen ("-").</dd>
|
<dd>: A single character drawn from uppercase and lowercase letters (A - Z, a-z), digits (0-9), plus ("+"), slash
|
||||||
|
("/"), or hyphen ("-").
|
||||||
|
</dd>
|
||||||
</dl>
|
</dl>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@@ -558,35 +578,50 @@ issuect "<issuer-domain>; <critical>; <description>; <validfrom>; <validtill>; <
|
|||||||
</sourcecode>
|
</sourcecode>
|
||||||
</figure>
|
</figure>
|
||||||
<ol type="(%c)">
|
<ol type="(%c)">
|
||||||
<li>The tag <strong>"issuect"</strong> <strong>MUST</strong> always appear in lowercase.</li>
|
<li>The tag <strong>"issuect"</strong>
|
||||||
<li>The complete property parameter set <strong>MUST</strong> be enclosed in double quotes.</li>
|
<strong>MUST</strong> always appear in lowercase.
|
||||||
|
</li>
|
||||||
|
<li>The complete property parameter set <strong>MUST</strong> be enclosed in double quotes.
|
||||||
|
</li>
|
||||||
<li>A single space <strong>MUST</strong> appear after <strong>"issuect"</strong> and after each semicolon,
|
<li>A single space <strong>MUST</strong> appear after <strong>"issuect"</strong> and after each semicolon,
|
||||||
except for the final semicolon after the last parameter, where no space follows.
|
except for the final semicolon after the last parameter, where no space follows.
|
||||||
</li>
|
</li>
|
||||||
<li>All domain labels and hostnames <strong>MUST</strong> be in lowercase.</li>
|
<li>All domain labels and hostnames <strong>MUST</strong> be in lowercase.
|
||||||
<li>The value of the "critical" flag <strong>MUST</strong> be either "true" or "false".</li>
|
</li>
|
||||||
|
<li>The value of the "critical" flag <strong>MUST</strong> be either "true" or "false".
|
||||||
|
</li>
|
||||||
<li>The string following "desc=" <strong>MUST</strong> be enclosed in single quotes,
|
<li>The string following "desc=" <strong>MUST</strong> be enclosed in single quotes,
|
||||||
and <strong>MUST NOT</strong> contain any single quote character ("'") within the string itself.
|
and <strong>MUST NOT</strong> contain any single quote character ("'") within the string itself.
|
||||||
</li>
|
</li>
|
||||||
<li>Timestamps <strong>MUST</strong> strictly follow the format "YYYY-MM-DDThh:mm:ssZ".</li>
|
<li>Timestamps <strong>MUST</strong> strictly follow the format "YYYY-MM-DDThh:mm:ssZ".
|
||||||
|
</li>
|
||||||
<li>The URI <strong>MUST</strong> remain unchanged, except that all hostnames within it
|
<li>The URI <strong>MUST</strong> remain unchanged, except that all hostnames within it
|
||||||
<strong>MUST</strong> be lowercase, in accordance with DNS naming conventions.
|
<strong>MUST</strong>
|
||||||
|
be lowercase, in accordance with DNS naming conventions.
|
||||||
</li>
|
</li>
|
||||||
<li>The string following "logid=" <strong>MUST</strong> be enclosed in single quotes
|
<li>The string following "logid=" <strong>MUST</strong> be enclosed in single quotes
|
||||||
and <strong>MUST</strong> contain the BASE64-encoded SHA-256 hash of the CT-Log's
|
and <strong>MUST</strong> contain the BASE64-encoded SHA-256 hash of the CT-Log's
|
||||||
DER-encoded SubjectPublicKeyInfo.</li>
|
DER-encoded SubjectPublicKeyInfo.
|
||||||
|
</li>
|
||||||
<li>The string following "pubkey=" <strong>MUST</strong> be enclosed in single quotes
|
<li>The string following "pubkey=" <strong>MUST</strong> be enclosed in single quotes
|
||||||
and <strong>MUST</strong> contain the BASE64-encoded ASN.1-format SubjectPublicKeyInfo
|
and <strong>MUST</strong> contain the BASE64-encoded ASN.1-format SubjectPublicKeyInfo
|
||||||
of the CT-Log itself.</li>
|
of the CT-Log itself.
|
||||||
<li>A trailing semicolon <strong>MUST</strong> follow the "pubkey" parameter.</li>
|
</li>
|
||||||
|
<li>A trailing semicolon <strong>MUST</strong> follow the "pubkey" parameter.
|
||||||
|
</li>
|
||||||
</ol>
|
</ol>
|
||||||
<t>Whereas</t>
|
<t>Whereas</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Timestamps are according to <xref target="ISO-8601"/>.</li>
|
<li>Timestamps are according to<xref target="ISO-8601"/>.
|
||||||
<li>BASE64-encoding is according to <xref target="RFC4648"/>.</li>
|
</li>
|
||||||
<li>SHA256-hash is according to <xref target="RFC6234"/>.</li>
|
<li>BASE64-encoding is according to<xref target="RFC4648"/>.
|
||||||
<li>DER-encoding is according to <xref target="X.690"/>.</li>
|
</li>
|
||||||
<li>ASN.1-format is according to <xref target="X.680"/>.</li>
|
<li>SHA256-hash is according to<xref target="RFC6234"/>.
|
||||||
|
</li>
|
||||||
|
<li>DER-encoding is according to<xref target="X.690"/>.
|
||||||
|
</li>
|
||||||
|
<li>ASN.1-format is according to<xref target="X.680"/>.
|
||||||
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</section>
|
</section>
|
||||||
<section>
|
<section>
|
||||||
@@ -597,14 +632,22 @@ issuect "<issuer-domain>; <critical>; <description>; <validfrom>; <validtill>; <
|
|||||||
except where noted.
|
except where noted.
|
||||||
</t>
|
</t>
|
||||||
<ol type="(%d)">
|
<ol type="(%d)">
|
||||||
<li><t><strong>Issuer Domain Name</strong></t>
|
<li>
|
||||||
<t>The authorized Certification Authority's domain name, in LDH notation (ASCII letters, digits, hyphens), as defined in Section 3.1.</t>
|
<t>
|
||||||
|
<strong>Issuer Domain Name</strong>
|
||||||
|
</t>
|
||||||
|
<t>The authorized Certification Authority's domain name, in LDH notation (ASCII letters, digits, hyphens), as
|
||||||
|
defined in Section 3.1.
|
||||||
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Position: #1</li>
|
<li>Position: #1</li>
|
||||||
<li>Syntax: issuer-domain-name;</li>
|
<li>Syntax: issuer-domain-name;</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><t><strong>critical</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>critical</strong>
|
||||||
|
</t>
|
||||||
<t>A boolean flag enforcing mandatory logging.</t>
|
<t>A boolean flag enforcing mandatory logging.</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Position: #2</li>
|
<li>Position: #2</li>
|
||||||
@@ -612,7 +655,10 @@ issuect "<issuer-domain>; <critical>; <description>; <validfrom>; <validtill>; <
|
|||||||
<li>Syntax: critical=<true|false>;</li>
|
<li>Syntax: critical=<true|false>;</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><t><strong>desc</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>desc</strong>
|
||||||
|
</t>
|
||||||
<t>A human-readable description of the CT-Log.</t>
|
<t>A human-readable description of the CT-Log.</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Position: #3</li>
|
<li>Position: #3</li>
|
||||||
@@ -620,7 +666,10 @@ issuect "<issuer-domain>; <critical>; <description>; <validfrom>; <validtill>; <
|
|||||||
<li>Syntax: desc='<desc-text>';</li>
|
<li>Syntax: desc='<desc-text>';</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><t><strong>validfrom</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>validfrom</strong>
|
||||||
|
</t>
|
||||||
<t>The start of the CT-Log acceptance window.</t>
|
<t>The start of the CT-Log acceptance window.</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Position: #4</li>
|
<li>Position: #4</li>
|
||||||
@@ -628,7 +677,10 @@ issuect "<issuer-domain>; <critical>; <description>; <validfrom>; <validtill>; <
|
|||||||
<li>Syntax: validfrom=<YYYY-MM-DDThh:mm:ssZ>;</li>
|
<li>Syntax: validfrom=<YYYY-MM-DDThh:mm:ssZ>;</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><t><strong>validtill</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>validtill</strong>
|
||||||
|
</t>
|
||||||
<t>The end of the CT-Log acceptance window.</t>
|
<t>The end of the CT-Log acceptance window.</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Position: #5</li>
|
<li>Position: #5</li>
|
||||||
@@ -636,23 +688,35 @@ issuect "<issuer-domain>; <critical>; <description>; <validfrom>; <validtill>; <
|
|||||||
<li>Syntax: validtill=<YYYY-MM-DDThh:mm:ssZ>;</li>
|
<li>Syntax: validtill=<YYYY-MM-DDThh:mm:ssZ>;</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><t><strong>cturi</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>cturi</strong>
|
||||||
|
</t>
|
||||||
<t>The absolute URI for CT-Log submissions and queries.</t>
|
<t>The absolute URI for CT-Log submissions and queries.</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Position: #6</li>
|
<li>Position: #6</li>
|
||||||
<li>Value: any URI conforming to <xref target="RFC3986"/>, with hostnames in lowercase</li>
|
<li>Value: any URI conforming to<xref target="RFC3986"/>, with hostnames in lowercase
|
||||||
|
</li>
|
||||||
<li>Syntax: cturi=<absolute-URI>;</li>
|
<li>Syntax: cturi=<absolute-URI>;</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><t><strong>logid</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>logid</strong>
|
||||||
|
</t>
|
||||||
<t>The CT-Log's identifier.</t>
|
<t>The CT-Log's identifier.</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Position: #7</li>
|
<li>Position: #7</li>
|
||||||
<li>Value: Base64-encoded SHA-256 hash of the CT-Log's DER-encoded SubjectPublicKeyInfo, enclosed in single quotes</li>
|
<li>Value: Base64-encoded SHA-256 hash of the CT-Log's DER-encoded SubjectPublicKeyInfo, enclosed in single
|
||||||
|
quotes
|
||||||
|
</li>
|
||||||
<li>Syntax: logid='<BASE64-SHA256>';</li>
|
<li>Syntax: logid='<BASE64-SHA256>';</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><t><strong>key</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>key</strong>
|
||||||
|
</t>
|
||||||
<t>The CT-Log's public key.</t>
|
<t>The CT-Log's public key.</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Position: #8</li>
|
<li>Position: #8</li>
|
||||||
@@ -697,7 +761,8 @@ issuect ";"
|
|||||||
<t>Prior to issuing a Certificate, a Certification Authority <strong>MUST</strong> obtain at least n + 1
|
<t>Prior to issuing a Certificate, a Certification Authority <strong>MUST</strong> obtain at least n + 1
|
||||||
unique CAA <strong>"issuect"</strong> RRs for each CA account,
|
unique CAA <strong>"issuect"</strong> RRs for each CA account,
|
||||||
where n is the minimum number of Signed Certificate Timestamps (SCTs)
|
where n is the minimum number of Signed Certificate Timestamps (SCTs)
|
||||||
<eref target="https://www.rfc-editor.org/rfc/rfc6962#section-3.2">Section 3.2</eref> as per
|
<eref target="https://www.rfc-editor.org/rfc/rfc6962#section-3.2">Section 3.2</eref>
|
||||||
|
as per
|
||||||
<xref target="RFC6962"/>.
|
<xref target="RFC6962"/>.
|
||||||
The value of n <strong>MAY</strong> vary based on the requested Certificate's validity period,
|
The value of n <strong>MAY</strong> vary based on the requested Certificate's validity period,
|
||||||
CT-Log Operator Policies, the CA's CP/CPS, and the CA/Browser Forum Baseline Requirements.
|
CT-Log Operator Policies, the CA's CP/CPS, and the CA/Browser Forum Baseline Requirements.
|
||||||
@@ -707,7 +772,8 @@ issuect ";"
|
|||||||
<t>Note: Determining the exact minimum number of unique CAA <strong>"issuect"</strong> RRs per CA is
|
<t>Note: Determining the exact minimum number of unique CAA <strong>"issuect"</strong> RRs per CA is
|
||||||
outside the scope of this document.
|
outside the scope of this document.
|
||||||
Domain owners <strong>SHOULD</strong> refer to the CT-Log policies published by major operators,
|
Domain owners <strong>SHOULD</strong> refer to the CT-Log policies published by major operators,
|
||||||
(e.g., <eref target="https://googlechrome.github.io/CertificateTransparency/ct_policy.html">
|
(e.g.,
|
||||||
|
<eref target="https://googlechrome.github.io/CertificateTransparency/ct_policy.html">
|
||||||
Apple's Certificate Transparency Policy
|
Apple's Certificate Transparency Policy
|
||||||
</eref>
|
</eref>
|
||||||
<xref target="URI5" format="none">[5]</xref>, and
|
<xref target="URI5" format="none">[5]</xref>, and
|
||||||
@@ -721,10 +787,12 @@ issuect ";"
|
|||||||
</section>
|
</section>
|
||||||
<section>
|
<section>
|
||||||
<name>Prior to Issuing a Certificate</name>
|
<name>Prior to Issuing a Certificate</name>
|
||||||
<t>Before issuing a Certificate that certifies a domain, the Certification Authority <strong>MUST</strong>
|
<t>Before issuing a Certificate that certifies a domain, the Certification Authority
|
||||||
|
<strong>MUST</strong>
|
||||||
check for the publication of a relevant RRSet.
|
check for the publication of a relevant RRSet.
|
||||||
Discovery of the relevant RRSet <strong>MUST</strong> be performed according to the algorithm specified in
|
Discovery of the relevant RRSet <strong>MUST</strong> be performed according to the algorithm specified in
|
||||||
<eref target="https://www.rfc-editor.org/rfc/rfc8659#section-3">Section 3</eref> of <xref target="RFC8659"/>.
|
<eref target="https://www.rfc-editor.org/rfc/rfc8659#section-3">Section 3</eref>
|
||||||
|
of<xref target="RFC8659"/>.
|
||||||
|
|
||||||
If the relevant RRSet is empty or does not contain any <strong>"issuect"</strong> Properties,
|
If the relevant RRSet is empty or does not contain any <strong>"issuect"</strong> Properties,
|
||||||
it is interpreted that the domain owner has not requested any restrictions regarding the submission
|
it is interpreted that the domain owner has not requested any restrictions regarding the submission
|
||||||
@@ -742,7 +810,8 @@ issuect ";"
|
|||||||
"issue" and / or "issuewild" policies.
|
"issue" and / or "issuewild" policies.
|
||||||
|
|
||||||
For example, if a CAA issue Property authorizes "CA A" to issue Certificates, but the
|
For example, if a CAA issue Property authorizes "CA A" to issue Certificates, but the
|
||||||
<strong>"issuect"</strong> Property references a CT-Log belonging to "CA B",
|
<strong>"issuect"</strong>
|
||||||
|
Property references a CT-Log belonging to "CA B",
|
||||||
this results in an unsatisfiable configuration.
|
this results in an unsatisfiable configuration.
|
||||||
|
|
||||||
In such cases, issuance <strong>MUST NOT</strong> proceed.
|
In such cases, issuance <strong>MUST NOT</strong> proceed.
|
||||||
@@ -757,26 +826,38 @@ issuect ";"
|
|||||||
<t>The internal handling of <strong>"issuect"</strong> parameters is left to each Certification Authority's
|
<t>The internal handling of <strong>"issuect"</strong> parameters is left to each Certification Authority's
|
||||||
implementation and is outside the scope of this document.
|
implementation and is outside the scope of this document.
|
||||||
</t>
|
</t>
|
||||||
<t>However, the following requirements <strong>MUST</strong> be met:</t>
|
<t>However, the following requirements <strong>MUST</strong> be met:
|
||||||
|
</t>
|
||||||
<ol type="(%d)">
|
<ol type="(%d)">
|
||||||
<li><t><strong>ABNF Conformance</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>ABNF Conformance</strong>
|
||||||
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Any CAA <strong>"issuect"</strong> RR whose parameters do not conform to the ABNF grammar
|
<li>Any CAA <strong>"issuect"</strong> RR whose parameters do not conform to the ABNF grammar
|
||||||
in Section 3 <strong>MUST</strong> be treated as though the <strong>"issuect"</strong>
|
in Section 3 <strong>MUST</strong> be treated as though the
|
||||||
|
<strong>"issuect"</strong>
|
||||||
tag does not exist.
|
tag does not exist.
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><t><strong>Malformed RRs</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>Malformed RRs</strong>
|
||||||
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>If a RR is syntactically malformed (e.g., missing parameters, incorrect ordering,
|
<li>If a RR is syntactically malformed (e.g., missing parameters, incorrect ordering,
|
||||||
invalid quoting), it <strong>MUST</strong> be ignored in its entirety.
|
invalid quoting), it <strong>MUST</strong> be ignored in its entirety.
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><t><strong>CT-Log Policy Enforcement</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>CT-Log Policy Enforcement</strong>
|
||||||
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>After parsing all valid CAA <strong>"issuect"</strong> RRs, the CA <strong>MUST</strong>
|
<li>After parsing all valid CAA <strong>"issuect"</strong> RRs, the CA
|
||||||
|
<strong>MUST</strong>
|
||||||
verify that the resulting set of whitelisted CT-Logs satisfies its own CT-Log policy,
|
verify that the resulting set of whitelisted CT-Logs satisfies its own CT-Log policy,
|
||||||
(as published in its CP/CPS,
|
(as published in its CP/CPS,
|
||||||
CT-Log operator requirements, or other policy documents).
|
CT-Log operator requirements, or other policy documents).
|
||||||
@@ -805,7 +886,7 @@ issuect ";"
|
|||||||
</t>
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>v (plaintext, required): protocol version. The only valid value is "CAACTSTSv1".</li>
|
<li>v (plaintext, required): protocol version. The only valid value is "CAACTSTSv1".</li>
|
||||||
<li>id (plaintext, required): a version identifier string (1–32 alphanumeric chars) used to signal updates.
|
<li>id (plaintext, required): a version identifier string (1-32 alphanumeric chars) used to signal updates.
|
||||||
This must change whenever the policy file is updated.
|
This must change whenever the policy file is updated.
|
||||||
</li>
|
</li>
|
||||||
<li>Extension fields (optional): any other key:value pairs (see ABNF below).</li>
|
<li>Extension fields (optional): any other key:value pairs (see ABNF below).</li>
|
||||||
@@ -815,7 +896,8 @@ issuect ";"
|
|||||||
</t>
|
</t>
|
||||||
<t>If DNS returns multiple <strong>"_caa-ct-sts"</strong> TXT RR, or if none of them starts with
|
<t>If DNS returns multiple <strong>"_caa-ct-sts"</strong> TXT RR, or if none of them starts with
|
||||||
"v=CAACTSTSv1", or if parsing fails, clients <strong>MUST</strong> assume no
|
"v=CAACTSTSv1", or if parsing fails, clients <strong>MUST</strong> assume no
|
||||||
<strong>CAA-CT-STS</strong> policy is available.
|
<strong>CAA-CT-STS</strong>
|
||||||
|
policy is available.
|
||||||
DNS CNAME RR are allowed:
|
DNS CNAME RR are allowed:
|
||||||
if <strong>"_caa-ct-sts"</strong> is a CNAME to another <strong>"_caa-ct-sts"</strong> RR,
|
if <strong>"_caa-ct-sts"</strong> is a CNAME to another <strong>"_caa-ct-sts"</strong> RR,
|
||||||
clients follow the alias (as in MTA-STS).
|
clients follow the alias (as in MTA-STS).
|
||||||
@@ -858,18 +940,24 @@ issuect-ext-value = 1*(%x21-3A / %x3C / %x3E-7E)
|
|||||||
</section>
|
</section>
|
||||||
<section anchor="caa_ct_sts_policy">
|
<section anchor="caa_ct_sts_policy">
|
||||||
<name>CAA-CT-STS Policy File</name>
|
<name>CAA-CT-STS Policy File</name>
|
||||||
<t>Once a <strong>"_caa-ct-sts"</strong> RR indicates support, the <strong>"CAA-CT-STS"</strong>
|
<t>Once a <strong>"_caa-ct-sts"</strong> RR indicates support, the
|
||||||
|
<strong>"CAA-CT-STS"</strong>
|
||||||
policy is fetched via HTTPS contains newline-separated "key:value"-pairs, similar to MTA-STS.
|
policy is fetched via HTTPS contains newline-separated "key:value"-pairs, similar to MTA-STS.
|
||||||
The canonical policy fields are:
|
The canonical policy fields are:
|
||||||
</t>
|
</t>
|
||||||
<ol type="(%c)">
|
<ol type="(%c)">
|
||||||
<li>version (required): <strong>MUST</strong> be "CAACTSTSv1". This identifies the policy version.</li>
|
<li>version (required): <strong>MUST</strong> be "CAACTSTSv1". This identifies the policy version.
|
||||||
|
</li>
|
||||||
<li>max_age (required): a non-negative integer (seconds) giving the lifetime of the policy.
|
<li>max_age (required): a non-negative integer (seconds) giving the lifetime of the policy.
|
||||||
Clients <strong>SHOULD</strong> cache the policy up to max_age (up to 31 557 600).</li>
|
Clients <strong>SHOULD</strong> cache the policy up to max_age (up to 31 557 600).
|
||||||
|
</li>
|
||||||
<li>ct_policy (required): at least one.
|
<li>ct_policy (required): at least one.
|
||||||
For each CT-Log a single entry has to be provided according to the same syntax as
|
For each CT-Log a single entry has to be provided according to the same syntax as
|
||||||
defined in <xref target="issuect"/> while ignoring the leading "issuect" Tag, see:
|
defined in
|
||||||
<xref target="caa_ct_sts_policy_examples"/> for examples.
|
<xref target="issuect"/>
|
||||||
|
while ignoring the leading "issuect" Tag, see:
|
||||||
|
<xref target="caa_ct_sts_policy_examples"/>
|
||||||
|
for examples.
|
||||||
</li>
|
</li>
|
||||||
<li>Extension fields: additional key:value pairs allowed.</li>
|
<li>Extension fields: additional key:value pairs allowed.</li>
|
||||||
</ol>
|
</ol>
|
||||||
@@ -884,8 +972,8 @@ issuect-ext-value = 1*(%x21-3A / %x3C / %x3E-7E)
|
|||||||
<name>ABNF Syntax of "/.well-known/caa-ct-sts.txt" Policy File</name>
|
<name>ABNF Syntax of "/.well-known/caa-ct-sts.txt" Policy File</name>
|
||||||
<sourcecode type="dns-rr" markers="false">
|
<sourcecode type="dns-rr" markers="false">
|
||||||
<![CDATA[
|
<![CDATA[
|
||||||
ALPHA = %x41-5A / %x61-7A ; A–Z / a–z
|
ALPHA = %x41-5A / %x61-7A ; A-Z / a-z
|
||||||
DIGIT = %x30-39 ; 0–9
|
DIGIT = %x30-39 ; 0-9
|
||||||
SP = %x20 ; SPACE
|
SP = %x20 ; SPACE
|
||||||
DQUOTE = %x22 ; "
|
DQUOTE = %x22 ; "
|
||||||
SEMICOLON = %x3B ; ";"
|
SEMICOLON = %x3B ; ";"
|
||||||
@@ -942,14 +1030,16 @@ WSP = *( SP / HTAB )
|
|||||||
Parsers <strong>MUST</strong> accept policies that are syntactically valid; unknown fields are treated
|
Parsers <strong>MUST</strong> accept policies that are syntactically valid; unknown fields are treated
|
||||||
as extensions and ignored.
|
as extensions and ignored.
|
||||||
A policy with no "ct_log" entries (and "mode" not explicitly set to "none") is invalid.
|
A policy with no "ct_log" entries (and "mode" not explicitly set to "none") is invalid.
|
||||||
See Section TODO for policy validation.</t>
|
See Section TODO for policy validation.
|
||||||
|
</t>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
<section anchor="caa_ct_sts_processing">
|
<section anchor="caa_ct_sts_processing">
|
||||||
<name>CAA-CT-STS Processing</name>
|
<name>CAA-CT-STS Processing</name>
|
||||||
<section anchor="https_policy_fetching">
|
<section anchor="https_policy_fetching">
|
||||||
<name>CAA-CT-STS Policy File HTTPS Fetching</name>
|
<name>CAA-CT-STS Policy File HTTPS Fetching</name>
|
||||||
<t>The CAA-CT-STS Policy File is fetched via "HTTPS GET" via TLS1.3 <xref target="RFC8446"/>, only, from</t>
|
<t>The CAA-CT-STS Policy File is fetched via "HTTPS GET" via TLS1.3<xref target="RFC8446"/>, only, from
|
||||||
|
</t>
|
||||||
<figure>
|
<figure>
|
||||||
<name>HTTPS GET "/.well-known/caa-ct-sts.txt" Policy File</name>
|
<name>HTTPS GET "/.well-known/caa-ct-sts.txt" Policy File</name>
|
||||||
<sourcecode type="dns-rr" markers="false">
|
<sourcecode type="dns-rr" markers="false">
|
||||||
@@ -982,7 +1072,8 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
|
|||||||
the policy is considered unavailable or invalid, and Certification Authorities fall back to "no policy".
|
the policy is considered unavailable or invalid, and Certification Authorities fall back to "no policy".
|
||||||
|
|
||||||
HTTP 3xx redirects <strong>MUST NOT</strong> be followed, and HTTP caching
|
HTTP 3xx redirects <strong>MUST NOT</strong> be followed, and HTTP caching
|
||||||
<xref target="RFC7234"/> <strong>MUST NOT</strong> be used.
|
<xref target="RFC7234"/>
|
||||||
|
<strong>MUST NOT</strong> be used.
|
||||||
|
|
||||||
A new or updated Policy is identified when its content differs
|
A new or updated Policy is identified when its content differs
|
||||||
(e.g., a new "id" in DNS or new "version" in the Policy File);
|
(e.g., a new "id" in DNS or new "version" in the Policy File);
|
||||||
@@ -998,15 +1089,21 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
|
|||||||
for correct syntax and semantics:
|
for correct syntax and semantics:
|
||||||
</t>
|
</t>
|
||||||
<ul>
|
<ul>
|
||||||
<li>The "version" field <strong>MUST</strong> equal "CAACTSTSv1",</li>
|
<li>The "version" field <strong>MUST</strong> equal "CAACTSTSv1",
|
||||||
<li>While "max_age" <strong>MUST</strong> be a valid non-negative integer,</li>
|
</li>
|
||||||
|
<li>While "max_age" <strong>MUST</strong> be a valid non-negative integer,
|
||||||
|
</li>
|
||||||
<li>and at least "1 + n" "ct_log" <strong>MUST</strong> be present, see:
|
<li>and at least "1 + n" "ct_log" <strong>MUST</strong> be present, see:
|
||||||
<xref target="minimum_logs"/>.</li>
|
<xref target="minimum_logs"/>.
|
||||||
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
<t>If the policy file is malformed or has invalid values, it is rejected
|
<t>If the policy file is malformed or has invalid values, it is rejected
|
||||||
(treated as if no policy were present), as with MTA-STS.
|
(treated as if no policy were present), as with MTA-STS.
|
||||||
</t>
|
</t>
|
||||||
<t>Lastly the Runtime Processing as described in <xref target="runtime_processing"/> is applicable, too.</t>
|
<t>Lastly the Runtime Processing as described in
|
||||||
|
<xref target="runtime_processing"/>
|
||||||
|
is applicable, too.
|
||||||
|
</t>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@@ -1016,13 +1113,18 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
|
|||||||
<section>
|
<section>
|
||||||
<name>IANA registration CAA Property Tag "issuect"</name>
|
<name>IANA registration CAA Property Tag "issuect"</name>
|
||||||
<t>The following IANA registration is requested.</t>
|
<t>The following IANA registration is requested.</t>
|
||||||
<t>According to <xref target="RFC8126"/> these information are provided:</t>
|
<t>According to
|
||||||
|
<xref target="RFC8126"/>
|
||||||
|
these information are provided:
|
||||||
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Registry: Certification Authority Restriction Properties.</li>
|
<li>Registry: Certification Authority Restriction Properties.</li>
|
||||||
<li>Registry Group: Public Key Infrastructure using X.509 (PKIX) Parameters.</li>
|
<li>Registry Group: Public Key Infrastructure using X.509 (PKIX) Parameters.</li>
|
||||||
<li>Expert Contact: Mr. Phillip Hallam-Baker (at time of writing).</li>
|
<li>Expert Contact: Mr. Phillip Hallam-Baker (at time of writing).</li>
|
||||||
<li>URI: <eref target="https://www.iana.org/assignments/pkix-parameters/pkix-parameters.xhtml">
|
<li>URI:
|
||||||
Public Key Infrastructure using X.509 (PKIX) Parameters</eref>
|
<eref target="https://www.iana.org/assignments/pkix-parameters/pkix-parameters.xhtml">
|
||||||
|
Public Key Infrastructure using X.509 (PKIX) Parameters
|
||||||
|
</eref>
|
||||||
<xref target="URI8" format="none">[8]</xref>.
|
<xref target="URI8" format="none">[8]</xref>.
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
@@ -1054,13 +1156,18 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
|
|||||||
<section>
|
<section>
|
||||||
<name>Well-Known URIs Registry</name>
|
<name>Well-Known URIs Registry</name>
|
||||||
<t>The following IANA registration is requested.</t>
|
<t>The following IANA registration is requested.</t>
|
||||||
<t>According to <xref target="RFC8126"/> these information are provided:</t>
|
<t>According to
|
||||||
|
<xref target="RFC8126"/>
|
||||||
|
these information are provided:
|
||||||
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Registry: Well-Known URIs</li>
|
<li>Registry: Well-Known URIs</li>
|
||||||
<li>Registry Group: Well-Known URIs.</li>
|
<li>Registry Group: Well-Known URIs.</li>
|
||||||
<li>Expert Contact: Mr. Mark Nottingham (at time of writing).</li>
|
<li>Expert Contact: Mr. Mark Nottingham (at time of writing).</li>
|
||||||
<li>URI: <eref target="https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml">
|
<li>URI:
|
||||||
Well-Known URIs</eref>
|
<eref target="https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml">
|
||||||
|
Well-Known URIs
|
||||||
|
</eref>
|
||||||
<xref target="URI9" format="none">[9]</xref>.
|
<xref target="URI9" format="none">[9]</xref>.
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
@@ -1092,7 +1199,10 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
|
|||||||
<section>
|
<section>
|
||||||
<name>CAA-CT-STS Strict Transport Security Registry Creation</name>
|
<name>CAA-CT-STS Strict Transport Security Registry Creation</name>
|
||||||
<t>The following IANA "Registry" registration is requested.</t>
|
<t>The following IANA "Registry" registration is requested.</t>
|
||||||
<t>According to <xref target="RFC8126"/> these information are provided:</t>
|
<t>According to
|
||||||
|
<xref target="RFC8126"/>
|
||||||
|
these information are provided:
|
||||||
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Registry: CAA-CT-STS Strict Transport Security (CAA-CT-STS) [to be created]</li>
|
<li>Registry: CAA-CT-STS Strict Transport Security (CAA-CT-STS) [to be created]</li>
|
||||||
<li>Subregistry: CAA-CT-STS TXT Record Fields [to be created]</li>
|
<li>Subregistry: CAA-CT-STS TXT Record Fields [to be created]</li>
|
||||||
@@ -1167,14 +1277,20 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
|
|||||||
<name>Security Considerations</name>
|
<name>Security Considerations</name>
|
||||||
<t>This extension inherits and adapts security considerations from:</t>
|
<t>This extension inherits and adapts security considerations from:</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>CAA framework <xref target="RFC8659"/>,</li>
|
<li>CAA framework<xref target="RFC8659"/>,
|
||||||
<li>CAA Record Extensions for Account URI and (ACME) Binding <xref target="RFC8657"/>,</li>
|
</li>
|
||||||
<li>Certificate Transparency Version 2.0. <xref target="RFC9162"/>,</li>
|
<li>CAA Record Extensions for Account URI and (ACME) Binding<xref target="RFC8657"/>,
|
||||||
<li>ACME protocol <xref target="RFC8555"/>,</li>
|
</li>
|
||||||
<li>SMTP MTA Strict Transport Security (MTA-STS) <xref target="RFC8461"/>.</li>
|
<li>Certificate Transparency Version 2.0.<xref target="RFC9162"/>,
|
||||||
|
</li>
|
||||||
|
<li>ACME protocol<xref target="RFC8555"/>,
|
||||||
|
</li>
|
||||||
|
<li>SMTP MTA Strict Transport Security (MTA-STS)<xref target="RFC8461"/>.
|
||||||
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
<t>As an extension of the DNS-based CAA framework, this proposal generally falls within the
|
<t>As an extension of the DNS-based CAA framework, this proposal generally falls within the
|
||||||
Internet threat model defined by <xref target="RFC3552"/>.</t>
|
Internet threat model defined by<xref target="RFC3552"/>.
|
||||||
|
</t>
|
||||||
<section>
|
<section>
|
||||||
<name>Global considerations</name>
|
<name>Global considerations</name>
|
||||||
<t>This specification augments the CAA RR framework by introducing finer-grained controls over both
|
<t>This specification augments the CAA RR framework by introducing finer-grained controls over both
|
||||||
@@ -1198,29 +1314,36 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
|
|||||||
</t>
|
</t>
|
||||||
<section anchor="dnssec_fallback">
|
<section anchor="dnssec_fallback">
|
||||||
<name>CAs Preferred Proposed Validation Path</name>
|
<name>CAs Preferred Proposed Validation Path</name>
|
||||||
<t>The <strong>RECOMMENDED</strong> multi-stage retrieval process is:</t>
|
<t>The <strong>RECOMMENDED</strong> multi-stage retrieval process is:
|
||||||
|
</t>
|
||||||
<ol>
|
<ol>
|
||||||
<li><strong>DNSSEC-first:</strong>
|
<li>
|
||||||
|
<strong>DNSSEC-first:</strong>
|
||||||
Attempt to fetch the CAA <strong>"issuect"</strong> RR via DNS, validating all responses with DNSSEC.
|
Attempt to fetch the CAA <strong>"issuect"</strong> RR via DNS, validating all responses with DNSSEC.
|
||||||
If the RR validates successfully, process it per normal CAA logic.
|
If the RR validates successfully, process it per normal CAA logic.
|
||||||
</li>
|
</li>
|
||||||
<li><strong>Well-Known HTTPS (fast-path):</strong>
|
<li>
|
||||||
|
<strong>Well-Known HTTPS (fast-path):</strong>
|
||||||
If DNSSEC validation fails, or the zone is not signed, perform a single HTTPS GET to
|
If DNSSEC validation fails, or the zone is not signed, perform a single HTTPS GET to
|
||||||
"https://caa-ct-sts.<domain>/.well-known/caa-ct-sts.txt",
|
"https://caa-ct-sts.<domain>/.well-known/caa-ct-sts.txt",
|
||||||
resolving the hostname only to it's
|
resolving the hostname only to it's
|
||||||
A/AAAA address (no further name recursion),
|
A/AAAA address (no further name recursion),
|
||||||
to minimize exposure to poisoned or spoofed DNS replies.
|
to minimize exposure to poisoned or spoofed DNS replies.
|
||||||
</li>
|
</li>
|
||||||
<li><strong> IP-only HTTPS (slow-path):</strong>
|
<li>
|
||||||
|
<strong>IP-only HTTPS (slow-path):</strong>
|
||||||
If step 2 fails, explicitly fetch the A/AAAA record for
|
If step 2 fails, explicitly fetch the A/AAAA record for
|
||||||
"caa-ct-sts.<domain>", then open a TLS connection by IP address
|
"caa-ct-sts.<domain>", then open a TLS connection by IP address
|
||||||
(SNI still "caa-ct-sts.<domain>")
|
(SNI still "caa-ct-sts.<domain>")
|
||||||
to retrieve the same policy file.
|
to retrieve the same policy file.
|
||||||
</li>
|
</li>
|
||||||
<li><strong>Insecure DNS with ODoH:</strong>
|
<li>
|
||||||
|
<strong>Insecure DNS with ODoH:</strong>
|
||||||
Should all prior steps be unreachable, fall back to fetching CAA <strong>"issuect"</strong> RRs
|
Should all prior steps be unreachable, fall back to fetching CAA <strong>"issuect"</strong> RRs
|
||||||
over standard DNS, but prefer an
|
over standard DNS, but prefer an
|
||||||
Oblivious DoH (ODoH) <xref target="RFC9230"/> transport to obscure queries
|
Oblivious DoH (ODoH)
|
||||||
|
<xref target="RFC9230"/>
|
||||||
|
transport to obscure queries
|
||||||
from on-path attackers.
|
from on-path attackers.
|
||||||
</li>
|
</li>
|
||||||
</ol>
|
</ol>
|
||||||
@@ -1271,7 +1394,8 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
|
|||||||
least "n = 2" or "n = 3" unique SCTs from independent logs to be accepted in their roots).
|
least "n = 2" or "n = 3" unique SCTs from independent logs to be accepted in their roots).
|
||||||
Domain owners <strong>MUST NOT</strong> specify less than n + 1 CT-Logs under "critical=true".
|
Domain owners <strong>MUST NOT</strong> specify less than n + 1 CT-Logs under "critical=true".
|
||||||
This ensures that even if one of the critical CT logs is unavailable,
|
This ensures that even if one of the critical CT logs is unavailable,
|
||||||
the CA can still obtain the remaining n SCTs and proceed with issuance.</li>
|
the CA can still obtain the remaining n SCTs and proceed with issuance.
|
||||||
|
</li>
|
||||||
<li>"+ 2" Whitelist of Non-Critical CT-Logs.
|
<li>"+ 2" Whitelist of Non-Critical CT-Logs.
|
||||||
In addition to the n + 1 critical logs, domain owners <strong>SHOULD</strong> nominate at least
|
In addition to the n + 1 critical logs, domain owners <strong>SHOULD</strong> nominate at least
|
||||||
up to two further CT-Logs without the "critical=true" flag.
|
up to two further CT-Logs without the "critical=true" flag.
|
||||||
@@ -1281,13 +1405,15 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
|
|||||||
They <strong>MUST NOT</strong> not carry "critical=true"; otherwise,
|
They <strong>MUST NOT</strong> not carry "critical=true"; otherwise,
|
||||||
a transient failure at any one CT-Log would force a full issuance rejection.
|
a transient failure at any one CT-Log would force a full issuance rejection.
|
||||||
These non-critical logs help broaden auditing coverage (e.g., corporate or private logs)
|
These non-critical logs help broaden auditing coverage (e.g., corporate or private logs)
|
||||||
without jeopardizing certificate availability.</li>
|
without jeopardizing certificate availability.
|
||||||
|
</li>
|
||||||
</ol>
|
</ol>
|
||||||
<section anchor="ca_operational_procedure">
|
<section anchor="ca_operational_procedure">
|
||||||
<name>Operational Procedure for CAs</name>
|
<name>Operational Procedure for CAs</name>
|
||||||
<ul>
|
<ul>
|
||||||
<li>Fetch and Validate CAA <strong>"issuect"</strong>: Retrieve the CAA <strong>"issuect"</strong> RR
|
<li>Fetch and Validate CAA <strong>"issuect"</strong>: Retrieve the CAA <strong>"issuect"</strong> RR
|
||||||
(via DNSSEC or the HTTPS fallback) and parse the list of critical versus non-critical CT-Logs.</li>
|
(via DNSSEC or the HTTPS fallback) and parse the list of critical versus non-critical CT-Logs.
|
||||||
|
</li>
|
||||||
<li>Attempt Precertificate Submission: For each critical CT-Log, send the Precertificate
|
<li>Attempt Precertificate Submission: For each critical CT-Log, send the Precertificate
|
||||||
and collect its SCT.
|
and collect its SCT.
|
||||||
If all critical logs successfully return SCTs, proceed.
|
If all critical logs successfully return SCTs, proceed.
|
||||||
@@ -1330,7 +1456,8 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
|
|||||||
out-of-band binding to the X.509 chain:
|
out-of-band binding to the X.509 chain:
|
||||||
</t>
|
</t>
|
||||||
<ol>
|
<ol>
|
||||||
<li><t>TLSA Usage</t>
|
<li>
|
||||||
|
<t>TLSA Usage</t>
|
||||||
<ul>
|
<ul>
|
||||||
<li>3 1 1 — SHA-256 hash of the leaf certificate's SPKI</li>
|
<li>3 1 1 — SHA-256 hash of the leaf certificate's SPKI</li>
|
||||||
<li>3 1 2 — SHA-512 hash of the leaf certificate's SPKI</li>
|
<li>3 1 2 — SHA-512 hash of the leaf certificate's SPKI</li>
|
||||||
@@ -1342,7 +1469,8 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
|
|||||||
used by the policy host, preventing MITM.
|
used by the policy host, preventing MITM.
|
||||||
</t>
|
</t>
|
||||||
</li>
|
</li>
|
||||||
<li><t>SVCB / HTTPS Record</t>
|
<li>
|
||||||
|
<t>SVCB / HTTPS Record</t>
|
||||||
<t>One can define a SVCB (or HTTPS) DNS RR for "caa-ct-sts.<domain>",
|
<t>One can define a SVCB (or HTTPS) DNS RR for "caa-ct-sts.<domain>",
|
||||||
advertising support for HTTP/3 (QUIC)
|
advertising support for HTTP/3 (QUIC)
|
||||||
and pointing to the same IP addresses as the A/AAAA records.
|
and pointing to the same IP addresses as the A/AAAA records.
|
||||||
@@ -1350,13 +1478,15 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
|
|||||||
and connection resilience.
|
and connection resilience.
|
||||||
</t>
|
</t>
|
||||||
</li>
|
</li>
|
||||||
<li><t>Strict TLS Configuration</t>
|
<li>
|
||||||
|
<t>Strict TLS Configuration</t>
|
||||||
<t>The policy server should only accept TLS1.3 with strong cipher suites
|
<t>The policy server should only accept TLS1.3 with strong cipher suites
|
||||||
(e.g., AES_256_GCM) and elliptic-curve key exchange using X448, P-521, or P-384 (in this order).
|
(e.g., AES_256_GCM) and elliptic-curve key exchange using X448, P-521, or P-384 (in this order).
|
||||||
This ensures forward secrecy and resistance to known TLS attacks.
|
This ensures forward secrecy and resistance to known TLS attacks.
|
||||||
</t>
|
</t>
|
||||||
</li>
|
</li>
|
||||||
<li><t>Optional DANE-Style Binding in the Policy File (NOT implemented in this draft)</t>
|
<li>
|
||||||
|
<t>Optional DANE-Style Binding in the Policy File (NOT implemented in this draft)</t>
|
||||||
<t>For maximum end-to-end integrity, the "/.well-known/caa-ct-sts.txt" file itself may include
|
<t>For maximum end-to-end integrity, the "/.well-known/caa-ct-sts.txt" file itself may include
|
||||||
DANE-like fields to bind a specific DNSSEC KZK.
|
DANE-like fields to bind a specific DNSSEC KZK.
|
||||||
For example:
|
For example:
|
||||||
@@ -1397,7 +1527,8 @@ ct_policy: ( "example.ca; \
|
|||||||
well before the actual issuance event.
|
well before the actual issuance event.
|
||||||
As a result, the CAA policy in effect at authorization time may differ from the policy published at
|
As a result, the CAA policy in effect at authorization time may differ from the policy published at
|
||||||
issuance time.
|
issuance time.
|
||||||
To mitigate this risk, CAs SHOULD adopt one or more of the following practices:</t>
|
To mitigate this risk, CAs SHOULD adopt one or more of the following practices:
|
||||||
|
</t>
|
||||||
|
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Issue pre-authorizations with short validity intervals (for example, one hour).</li>
|
<li>Issue pre-authorizations with short validity intervals (for example, one hour).</li>
|
||||||
@@ -1416,7 +1547,8 @@ ct_policy: ( "example.ca; \
|
|||||||
and the CA resolves DNS exclusively via a trusted DNSSEC-validating resolver,
|
and the CA resolves DNS exclusively via a trusted DNSSEC-validating resolver,
|
||||||
however, the authenticity and integrity of DNS data are assured.
|
however, the authenticity and integrity of DNS data are assured.
|
||||||
</t>
|
</t>
|
||||||
<t>To leverage this protection, a CA's validation process <strong>SHOULD</strong> either:</t>
|
<t>To leverage this protection, a CA's validation process <strong>SHOULD</strong> either:
|
||||||
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Rely solely on DNSSEC-authenticated DNS responses for all validation data; or</li>
|
<li>Rely solely on DNSSEC-authenticated DNS responses for all validation data; or</li>
|
||||||
<li>Cryptographically bind every other validation channel (e.g., HTTP-01, TLS-ALPN-01)
|
<li>Cryptographically bind every other validation channel (e.g., HTTP-01, TLS-ALPN-01)
|
||||||
@@ -1428,7 +1560,8 @@ ct_policy: ( "example.ca; \
|
|||||||
<name>Scenario Effects for "issuect" and Security</name>
|
<name>Scenario Effects for "issuect" and Security</name>
|
||||||
<t>DNSSEC-secured</t>
|
<t>DNSSEC-secured</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>CAA and <strong>"issuect"</strong> RRs are authenticated.</li>
|
<li>CAA and <strong>"issuect"</strong> RRs are authenticated.
|
||||||
|
</li>
|
||||||
<li>Any modification to these RRs is detected by DNSSEC validation failures.</li>
|
<li>Any modification to these RRs is detected by DNSSEC validation failures.</li>
|
||||||
<li>The CA can trust that CT-Log authorizations originate from the domain owner.</li>
|
<li>The CA can trust that CT-Log authorizations originate from the domain owner.</li>
|
||||||
<li>Certificates cannot be issued "out of band," nor can CAA-driven CT-Log instructions be tampered
|
<li>Certificates cannot be issued "out of band," nor can CAA-driven CT-Log instructions be tampered
|
||||||
@@ -1437,10 +1570,12 @@ ct_policy: ( "example.ca; \
|
|||||||
</ul>
|
</ul>
|
||||||
<t>Not DNSSEC-secured</t>
|
<t>Not DNSSEC-secured</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>CAA and <strong>"issuect"</strong> RRs may be forged or suppressed.</li>
|
<li>CAA and <strong>"issuect"</strong> RRs may be forged or suppressed.
|
||||||
|
</li>
|
||||||
<li>A CA relying on cached or unauthenticated responses risks seeing incorrect policies.</li>
|
<li>A CA relying on cached or unauthenticated responses risks seeing incorrect policies.</li>
|
||||||
<li>An attacker could inject a false empty <strong>"issuect"</strong> ";" to disable logging,
|
<li>An attacker could inject a false empty <strong>"issuect"</strong> ";" to disable logging,
|
||||||
or point to malicious CT-Logs, subverting transparency.</li>
|
or point to malicious CT-Logs, subverting transparency.
|
||||||
|
</li>
|
||||||
<li>In extreme "SOA interception" scenarios, an attacker could entirely block certificate issuance by
|
<li>In extreme "SOA interception" scenarios, an attacker could entirely block certificate issuance by
|
||||||
dropping CAA/A RRs.
|
dropping CAA/A RRs.
|
||||||
</li>
|
</li>
|
||||||
@@ -1497,9 +1632,10 @@ ct_policy: ( "example.ca; \
|
|||||||
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9499.xml"/>
|
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9499.xml"/>
|
||||||
<reference anchor="X.680" target="https://www.itu.int/rec/T-REC-X.680-X.693-202102-I/en">
|
<reference anchor="X.680" target="https://www.itu.int/rec/T-REC-X.680-X.693-202102-I/en">
|
||||||
<front>
|
<front>
|
||||||
<title>Information technology – Abstract Syntax Notation One (ASN.1): Specification of basic notation</title>
|
<title>Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation</title>
|
||||||
<author>
|
<author>
|
||||||
<organization>International Telecommunication Union, Telecommunication Standardization Sector (ITU-T)</organization>
|
<organization>International Telecommunication Union, Telecommunication Standardization Sector (ITU-T)
|
||||||
|
</organization>
|
||||||
</author>
|
</author>
|
||||||
<date month="June" year="2021"/>
|
<date month="June" year="2021"/>
|
||||||
</front>
|
</front>
|
||||||
@@ -1507,9 +1643,12 @@ ct_policy: ( "example.ca; \
|
|||||||
</reference>
|
</reference>
|
||||||
<reference anchor="X.690" target="https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf">
|
<reference anchor="X.690" target="https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf">
|
||||||
<front>
|
<front>
|
||||||
<title>Information technology – ASN.1 encoding rules: Specification of Basic, Canonical, and Distinguished Encoding Rules</title>
|
<title>Information technology - ASN.1 encoding rules: Specification of Basic, Canonical, and Distinguished Encoding
|
||||||
|
Rules
|
||||||
|
</title>
|
||||||
<author>
|
<author>
|
||||||
<organization>International Telecommunication Union, Telecommunication Standardization Sector (ITU-T)</organization>
|
<organization>International Telecommunication Union, Telecommunication Standardization Sector (ITU-T)
|
||||||
|
</organization>
|
||||||
</author>
|
</author>
|
||||||
<date month="July" year="2021"/>
|
<date month="July" year="2021"/>
|
||||||
</front>
|
</front>
|
||||||
@@ -1520,7 +1659,7 @@ ct_policy: ( "example.ca; \
|
|||||||
<name>Informative References</name>
|
<name>Informative References</name>
|
||||||
<reference anchor="POSIX" target="https://pubs.opengroup.org/onlinepubs/9699919799.2018edition/">
|
<reference anchor="POSIX" target="https://pubs.opengroup.org/onlinepubs/9699919799.2018edition/">
|
||||||
<front>
|
<front>
|
||||||
<title>Portable Operating System Interface (POSIX™) – Base Specifications</title>
|
<title>Portable Operating System Interface (POSIX™) - Base Specifications</title>
|
||||||
<author>
|
<author>
|
||||||
<organization>The Institute of Electrical and Electronics Engineers; The Open Group</organization>
|
<organization>The Institute of Electrical and Electronics Engineers; The Open Group</organization>
|
||||||
</author>
|
</author>
|
||||||
@@ -1553,7 +1692,8 @@ ct_policy: ( "example.ca; \
|
|||||||
</front>
|
</front>
|
||||||
</reference>
|
</reference>
|
||||||
|
|
||||||
<reference anchor="URI2" target="https://keys.openpgp.org/vks/v1/by-fingerprint/7A8341E5F1570319D80F4418A11E88519A3D8CF6">
|
<reference anchor="URI2"
|
||||||
|
target="https://keys.openpgp.org/vks/v1/by-fingerprint/7A8341E5F1570319D80F4418A11E88519A3D8CF6">
|
||||||
<front>
|
<front>
|
||||||
<title>7A83 41E5 F157 0319 D80F 4418 A11E 8851 9A3D 8CF6</title>
|
<title>7A83 41E5 F157 0319 D80F 4418 A11E 8851 9A3D 8CF6</title>
|
||||||
<author/>
|
<author/>
|
||||||
@@ -1616,27 +1756,40 @@ ct_policy: ( "example.ca; \
|
|||||||
<section anchor="caa_processing_checklist">
|
<section anchor="caa_processing_checklist">
|
||||||
<name>Informational: CAA "issuect" Property Tag Processing Checklist</name>
|
<name>Informational: CAA "issuect" Property Tag Processing Checklist</name>
|
||||||
<ol type="(%d)">
|
<ol type="(%d)">
|
||||||
<li><t><strong>Discover Relevant RRSet</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>Discover Relevant RRSet</strong>
|
||||||
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Perform DNS lookup for the domain's CAA RRSet using the algorithm from
|
<li>Perform DNS lookup for the domain's CAA RRSet using the algorithm from
|
||||||
<eref target="https://www.rfc-editor.org/rfc/rfc8659#section-3">Section 3</eref> of
|
<eref target="https://www.rfc-editor.org/rfc/rfc8659#section-3">Section 3</eref>
|
||||||
|
of
|
||||||
<xref target="RFC8659"/>
|
<xref target="RFC8659"/>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><t><strong>Check for "issuect" Presence</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>Check for "issuect" Presence</strong>
|
||||||
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>If the RRSet is empty or contains no <strong>"issuect"</strong> RRs,
|
<li>If the RRSet is empty or contains no <strong>"issuect"</strong> RRs,
|
||||||
proceed without CT-Log restrictions.
|
proceed without CT-Log restrictions.
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><t><strong>Repeat for Each Domain</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>Repeat for Each Domain</strong>
|
||||||
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>For multi-domain Certificates (e.g., via SANs), repeat steps 1–2 for each domain name.</li>
|
<li>For multi-domain Certificates (e.g., via SANs), repeat steps 1-2 for each domain name.</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><t><strong>Validate issue / issuewild Authorization</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>Validate issue / issuewild Authorization</strong>
|
||||||
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Independently verify any "issue" or "issuewild" CAA RRs before considering CT-Log restrictions.</li>
|
<li>Independently verify any "issue" or "issuewild" CAA RRs before considering CT-Log restrictions.</li>
|
||||||
<li>If CAA authorization and <strong>"issuect"</strong> parameters reference different CAs,
|
<li>If CAA authorization and <strong>"issuect"</strong> parameters reference different CAs,
|
||||||
@@ -1644,7 +1797,10 @@ ct_policy: ( "example.ca; \
|
|||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><t><strong>Parse and Validate issuect Parameters</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>Parse and Validate issuect Parameters</strong>
|
||||||
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Ensure exactly eight parameters appear in the correct order (see Section 3.3).</li>
|
<li>Ensure exactly eight parameters appear in the correct order (see Section 3.3).</li>
|
||||||
<li>Enforce RFC 2119 rules:</li>
|
<li>Enforce RFC 2119 rules:</li>
|
||||||
@@ -1657,18 +1813,26 @@ ct_policy: ( "example.ca; \
|
|||||||
<li>Treat any formatting errors as if the RR does not exist.</li>
|
<li>Treat any formatting errors as if the RR does not exist.</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><t><strong>Enforce Whitelist and Default-Deny Semantics</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>Enforce Whitelist and Default-Deny Semantics</strong>
|
||||||
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>If one or more valid <strong>"issuect"</strong> RRs exist:</li>
|
<li>If one or more valid <strong>"issuect"</strong> RRs exist:
|
||||||
|
</li>
|
||||||
<li>Permit CT-Log submissions only to the union of all whitelisted URIs.</li>
|
<li>Permit CT-Log submissions only to the union of all whitelisted URIs.</li>
|
||||||
<li>If any RR has "critical=true", reject issuance unless all issued SCTs are
|
<li>If any RR has "critical=true", reject issuance unless all issued SCTs are
|
||||||
logged to a whitelisted CT-Log.</li>
|
logged to a whitelisted CT-Log.
|
||||||
|
</li>
|
||||||
<li>If an empty <strong>"issuect"</strong> ";" RR is present,
|
<li>If an empty <strong>"issuect"</strong> ";" RR is present,
|
||||||
and no non-empty RRs exist, prohibit all CT-Log submissions.
|
and no non-empty RRs exist, prohibit all CT-Log submissions.
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><t><strong>Determine Required SCT Count</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>Determine Required SCT Count</strong>
|
||||||
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>For each CA, obtain at least n + 1 unique CAA <strong>"issuect"</strong> RRs,
|
<li>For each CA, obtain at least n + 1 unique CAA <strong>"issuect"</strong> RRs,
|
||||||
where n is the minimum SCT count (Section 4.1).
|
where n is the minimum SCT count (Section 4.1).
|
||||||
@@ -1676,7 +1840,10 @@ ct_policy: ( "example.ca; \
|
|||||||
<li>Consult CA policies (e.g., Google's or Apple's CT-Log requirements) for the exact value of n.</li>
|
<li>Consult CA policies (e.g., Google's or Apple's CT-Log requirements) for the exact value of n.</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><t><strong>Proceed with Certificate Issuance</strong></t>
|
<li>
|
||||||
|
<t>
|
||||||
|
<strong>Proceed with Certificate Issuance</strong>
|
||||||
|
</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Only after all the above checks pass,
|
<li>Only after all the above checks pass,
|
||||||
CAA authorization, <strong>"issuect"</strong> validation, SCT count and logging requirements,
|
CAA authorization, <strong>"issuect"</strong> validation, SCT count and logging requirements,
|
||||||
@@ -2030,19 +2197,22 @@ echo "${JSON}" | awk -v OWN="${OWN_DOMAIN}" -v CA="${CAA_DOMAIN}" -v CRIT="${CRI
|
|||||||
<name>Informational: DNS TTL</name>
|
<name>Informational: DNS TTL</name>
|
||||||
<section>
|
<section>
|
||||||
<name>High-Security, High-Change Environments</name>
|
<name>High-Security, High-Change Environments</name>
|
||||||
<t>It is <strong>RECOMMENDED</strong> to prefer very low TTL (60–300 s).
|
<t>It is <strong>RECOMMENDED</strong> to prefer very low TTL (60-300 s).
|
||||||
In case of compromise or mistakes a real time reaction is still possible.</t>
|
In case of compromise or mistakes a real time reaction is still possible.
|
||||||
|
</t>
|
||||||
</section>
|
</section>
|
||||||
<section>
|
<section>
|
||||||
<name>Stable, Low-Risk Domains with DDoS Concerns</name>
|
<name>Stable, Low-Risk Domains with DDoS Concerns</name>
|
||||||
<t>It is <strong>RECOMMENDED</strong> to prefer high TTL (86 400 s+) to minimize
|
<t>It is <strong>RECOMMENDED</strong> to prefer high TTL (86 400 s+) to minimize
|
||||||
DNS-load and reduce resolver queries.</t>
|
DNS-load and reduce resolver queries.
|
||||||
|
</t>
|
||||||
</section>
|
</section>
|
||||||
<section>
|
<section>
|
||||||
<name>Balanced Approach for Most</name>
|
<name>Balanced Approach for Most</name>
|
||||||
<t>It is <strong>RECOMMENDED</strong> to use a medium TTL (e.g., 3 600 s / 1 h).
|
<t>It is <strong>RECOMMENDED</strong> to use a medium TTL (e.g., 3 600 s / 1 h).
|
||||||
It limits exposure to cache-poisoning and CA mis-issuance to an hour,
|
It limits exposure to cache-poisoning and CA mis-issuance to an hour,
|
||||||
while keeping query volume manageable.</t>
|
while keeping query volume manageable.
|
||||||
|
</t>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
<section anchor="change_history">
|
<section anchor="change_history">
|
||||||
|
|||||||
Reference in New Issue
Block a user