V1.01.192.2025.06.06
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Binary file not shown.
Binary file not shown.
@@ -41,7 +41,7 @@
|
|||||||
</address>
|
</address>
|
||||||
</author>
|
</author>
|
||||||
|
|
||||||
<date year="2025" month="06" day="03"/>
|
<date year="2025" month="06" day="06"/>
|
||||||
|
|
||||||
<area>General</area>
|
<area>General</area>
|
||||||
<workgroup>Internet Engineering Task Force</workgroup>
|
<workgroup>Internet Engineering Task Force</workgroup>
|
||||||
@@ -102,7 +102,7 @@
|
|||||||
<t>Certification Authority Authorization (CAA)
|
<t>Certification Authority Authorization (CAA)
|
||||||
<xref target="RFC8659"/>
|
<xref target="RFC8659"/>
|
||||||
RRs empower domain owners
|
RRs empower domain owners
|
||||||
to specify, via DNS<xref target="RFC1035"/>, which Certificate Authorities (CAs) in a
|
to specify, via DNS <xref target="RFC1035"/>, which Certificate Authorities (CAs) in a
|
||||||
Public Key Infrastructure
|
Public Key Infrastructure
|
||||||
<xref target="RFC5280"/>
|
<xref target="RFC5280"/>
|
||||||
may or may not issue Certificates for their domains.
|
may or may not issue Certificates for their domains.
|
||||||
@@ -212,11 +212,11 @@
|
|||||||
</section>
|
</section>
|
||||||
<section>
|
<section>
|
||||||
<name>CAA Certificate Transparency Strict Transport Security (CAA-CT-STS)</name>
|
<name>CAA Certificate Transparency Strict Transport Security (CAA-CT-STS)</name>
|
||||||
<t>CAA-CT-STS,<xref target="caa_ct_sts"/>, is a policy framework
|
<t>CAA-CT-STS, <xref target="caa_ct_sts"/>, is a policy framework
|
||||||
that combines the mechanisms of CAA, CT, and MTA-STS
|
that combines the mechanisms of CAA, CT, and MTA-STS
|
||||||
by which a domain holder can publish Certificate-Transparency enforcement
|
by which a domain holder can publish Certificate-Transparency enforcement
|
||||||
requirements alongside CA Authorization (CAA) over a second secured channel.
|
requirements alongside CA Authorization (CAA) over a second secured channel.
|
||||||
It mirrors the approach of SMTP MTA-STS<xref target="RFC8461"/>, using DNS TXT RR, a specific
|
It mirrors the approach of SMTP MTA-STS <xref target="RFC8461"/>, using DNS TXT RR, a specific
|
||||||
subdomain and an HTTPS only served policy file.
|
subdomain and an HTTPS only served policy file.
|
||||||
A special DNS TXT record <strong>"_caa-ct-sts"</strong>
|
A special DNS TXT record <strong>"_caa-ct-sts"</strong>
|
||||||
<xref target="caa_ct_sts_txt"/>
|
<xref target="caa_ct_sts_txt"/>
|
||||||
@@ -230,19 +230,19 @@
|
|||||||
</section>
|
</section>
|
||||||
<section>
|
<section>
|
||||||
<name>Operational discussions</name>
|
<name>Operational discussions</name>
|
||||||
<t>Lastly, practical aspects such as a CA Processing Checklist,<xref target="caa_processing_checklist"/>,
|
<t>Lastly, practical aspects such as a CA Processing Checklist, <xref target="caa_processing_checklist"/>,
|
||||||
caching behavior<xref target="dns_ttl"/>, and fallback,<xref target="dnssec_fallback"/>,
|
caching behavior <xref target="dns_ttl"/>, and fallback, <xref target="dnssec_fallback"/>,
|
||||||
strategies for non-DNSSEC zones are addressed.
|
strategies for non-DNSSEC zones are addressed.
|
||||||
Throughout this document, the framework is referred to by the recursive acronym
|
Throughout this document, the framework is referred to by the recursive acronym
|
||||||
<strong>CATALOG</strong>
|
<strong>CATALOG</strong>
|
||||||
(CATALOG Authorization Transparency And Log Overlay for Graph-based DNS).
|
(CATALOG Authorization Transparency And Log Overlay for Graph-based DNS).
|
||||||
</t>
|
</t>
|
||||||
<t>The following sections specify the complete syntax and semantics of both of the
|
<t>The following sections specify the complete syntax and semantics of both of the
|
||||||
CAA <strong>"issuect"</strong> Property Tag,<xref target="caa_property"/>, and
|
CAA <strong>"issuect"</strong> Property Tag, <xref target="caa_property"/>, and
|
||||||
CAA-CT-STS framework,<xref target="caa_ct_sts"/>,
|
CAA-CT-STS framework, <xref target="caa_ct_sts"/>,
|
||||||
detail processing rules for CAs and resolvers for both of the
|
detail processing rules for CAs and resolvers for both of the
|
||||||
CAA <strong>"issuect"</strong> Property Tag,<xref target="issuect_processing"/>, and
|
CAA <strong>"issuect"</strong> Property Tag, <xref target="issuect_processing"/>, and
|
||||||
CAA-CT-STS,<xref target="caa_ct_sts_processing"/>, framework.
|
CAA-CT-STS, <xref target="caa_ct_sts_processing"/>, framework.
|
||||||
</t>
|
</t>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@@ -258,7 +258,7 @@
|
|||||||
<strong>"RECOMMENDED"</strong>, <strong>"NOT RECOMMENDED"</strong>, <strong>"MAY"</strong>, and
|
<strong>"RECOMMENDED"</strong>, <strong>"NOT RECOMMENDED"</strong>, <strong>"MAY"</strong>, and
|
||||||
<strong>"OPTIONAL"</strong>
|
<strong>"OPTIONAL"</strong>
|
||||||
in this document are to be interpreted as described in
|
in this document are to be interpreted as described in
|
||||||
BCP 14<xref target="RFC2119"/>,
|
BCP 14 <xref target="RFC2119"/>,
|
||||||
<xref target="RFC8174"/>
|
<xref target="RFC8174"/>
|
||||||
when, and only when,
|
when, and only when,
|
||||||
they appear in all capitals, as shown here.
|
they appear in all capitals, as shown here.
|
||||||
@@ -281,7 +281,7 @@
|
|||||||
<td align="left">Certification Authority Authorization</td>
|
<td align="left">Certification Authority Authorization</td>
|
||||||
<td align="left">Allows a DNS domain name holder to specify one or more CAs authorized to issue
|
<td align="left">Allows a DNS domain name holder to specify one or more CAs authorized to issue
|
||||||
Certificates for that domain name.
|
Certificates for that domain name.
|
||||||
See:<xref target="RFC8657"/>,<xref target="RFC8659"/>.
|
See: <xref target="RFC8657"/>, <xref target="RFC8659"/>.
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
@@ -289,7 +289,7 @@
|
|||||||
<td align="left">CAA Certificate Transparency Strict Transport Security</td>
|
<td align="left">CAA Certificate Transparency Strict Transport Security</td>
|
||||||
<td align="left">CAA-CT-STS is a policy framework, by which a domain holder can publish
|
<td align="left">CAA-CT-STS is a policy framework, by which a domain holder can publish
|
||||||
Certificate-Transparency enforcement requirements alongside CA authorization (CAA).
|
Certificate-Transparency enforcement requirements alongside CA authorization (CAA).
|
||||||
See:<xref target="caa_ct_sts"/>.
|
See: <xref target="caa_ct_sts"/>.
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
@@ -297,7 +297,7 @@
|
|||||||
<td align="left">CAA-CT-STS Policy File</td>
|
<td align="left">CAA-CT-STS Policy File</td>
|
||||||
<td align="left">The set of rules fetched via HTTPS from the Policy Domains
|
<td align="left">The set of rules fetched via HTTPS from the Policy Domains
|
||||||
"/.well-known/caa-ct-sts.txt".
|
"/.well-known/caa-ct-sts.txt".
|
||||||
See:<xref target="caa_ct_sts_policy"/>.
|
See: <xref target="caa_ct_sts_policy"/>.
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
@@ -305,7 +305,7 @@
|
|||||||
<td align="left">CATALOG Authorization Transparency And Log Overlay for Graph-based DNS</td>
|
<td align="left">CATALOG Authorization Transparency And Log Overlay for Graph-based DNS</td>
|
||||||
<td align="left">A Proposal to enrich DNS-based CAA RRs with Certificate Transparency URI
|
<td align="left">A Proposal to enrich DNS-based CAA RRs with Certificate Transparency URI
|
||||||
bindings.
|
bindings.
|
||||||
This document:<xref target="URI1"/>.
|
This document: <xref target="URI1"/>.
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
@@ -323,7 +323,7 @@
|
|||||||
<td align="left">CP</td>
|
<td align="left">CP</td>
|
||||||
<td align="left">Certificate Policy</td>
|
<td align="left">Certificate Policy</td>
|
||||||
<td align="left">Specifies the criteria that a CA undertakes to meet in its issue of Certificates.
|
<td align="left">Specifies the criteria that a CA undertakes to meet in its issue of Certificates.
|
||||||
See:<xref target="RFC3647"/>.
|
See: <xref target="RFC3647"/>.
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
@@ -331,7 +331,7 @@
|
|||||||
<td align="left">Certification Practices Statement</td>
|
<td align="left">Certification Practices Statement</td>
|
||||||
<td align="left">Specifies the means by which the criteria of the CP are met.
|
<td align="left">Specifies the means by which the criteria of the CP are met.
|
||||||
In most cases, this will be the document against which the operations of the CA are audited.
|
In most cases, this will be the document against which the operations of the CA are audited.
|
||||||
See:<xref target="RFC3647"/>.
|
See: <xref target="RFC3647"/>.
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
@@ -339,7 +339,7 @@
|
|||||||
<td align="left">Certification Transparency</td>
|
<td align="left">Certification Transparency</td>
|
||||||
<td align="left">Certificate Transparency aims to mitigate the problem of misissued Certificates by
|
<td align="left">Certificate Transparency aims to mitigate the problem of misissued Certificates by
|
||||||
providing append-only logs of issued Certificates.
|
providing append-only logs of issued Certificates.
|
||||||
See:<xref target="RFC6962"/>,<xref target="RFC9162"/>.
|
See: <xref target="RFC6962"/>,<xref target="RFC9162"/>.
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
@@ -362,14 +362,14 @@
|
|||||||
<xref target="RFC5246"/>
|
<xref target="RFC5246"/>
|
||||||
or Datagram Transport Layer Security (DTLS)
|
or Datagram Transport Layer Security (DTLS)
|
||||||
<xref target="RFC6347"/>
|
<xref target="RFC6347"/>
|
||||||
transport endpoint. See:<xref target="RFC6698"/>,<xref target="RFC7671"/>.
|
transport endpoint. See: <xref target="RFC6698"/>,<xref target="RFC7671"/>.
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td align="left">DNS</td>
|
<td align="left">DNS</td>
|
||||||
<td align="left">Domain Name System</td>
|
<td align="left">Domain Name System</td>
|
||||||
<td align="left">The Internet naming system specified in
|
<td align="left">The Internet naming system specified in
|
||||||
<xref target="RFC1034"/>,<xref target="RFC1035"/>,<xref target="RFC9499"/>, and any
|
<xref target="RFC1034"/>, <xref target="RFC1035"/>, <xref target="RFC9499"/>, and any
|
||||||
revisions to these specifications.
|
revisions to these specifications.
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
@@ -377,7 +377,7 @@
|
|||||||
<td align="left">DNSSEC</td>
|
<td align="left">DNSSEC</td>
|
||||||
<td align="left">DNS Security Extensions</td>
|
<td align="left">DNS Security Extensions</td>
|
||||||
<td align="left">Extensions to the DNS that provide authentication services as specified in
|
<td align="left">Extensions to the DNS that provide authentication services as specified in
|
||||||
<xref target="RFC4033"/>,<xref target="RFC4034"/>,<xref target="RFC4035"/>,
|
<xref target="RFC4033"/>, <xref target="RFC4034"/>, <xref target="RFC4035"/>,
|
||||||
<xref target="RFC5155"/>,
|
<xref target="RFC5155"/>,
|
||||||
<xref target="RFC9364"/>, and any revisions to these specifications.
|
<xref target="RFC9364"/>, and any revisions to these specifications.
|
||||||
</td>
|
</td>
|
||||||
@@ -407,7 +407,7 @@
|
|||||||
<td align="left">DNS Resource Record</td>
|
<td align="left">DNS Resource Record</td>
|
||||||
<td align="left">A particular entry in the DNS, including the owner name, class, type, time to live,
|
<td align="left">A particular entry in the DNS, including the owner name, class, type, time to live,
|
||||||
and data, as defined in
|
and data, as defined in
|
||||||
<xref target="RFC1034"/>,<xref target="RFC2181"/>.
|
<xref target="RFC1034"/>, <xref target="RFC2181"/>.
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
@@ -456,7 +456,7 @@
|
|||||||
</t>
|
</t>
|
||||||
<t>In addition, <strong>absolute-URI</strong> is defined in
|
<t>In addition, <strong>absolute-URI</strong> is defined in
|
||||||
<eref target="https://www.rfc-editor.org/rfc/rfc3986.html#section-4.3">Section 4.3</eref>
|
<eref target="https://www.rfc-editor.org/rfc/rfc3986.html#section-4.3">Section 4.3</eref>
|
||||||
of<xref target="RFC3986"/>.
|
of <xref target="RFC3986"/>.
|
||||||
</t>
|
</t>
|
||||||
<figure>
|
<figure>
|
||||||
<name>CAA "issuect" Property Tag ABNF Syntax</name>
|
<name>CAA "issuect" Property Tag ABNF Syntax</name>
|
||||||
@@ -545,7 +545,7 @@ b64-string = 1*( b64-char / "=" )
|
|||||||
<dd>: The parameter name cturi, followed by "=", followed by an uri.</dd>
|
<dd>: The parameter name cturi, followed by "=", followed by an uri.</dd>
|
||||||
|
|
||||||
<dt>uri</dt>
|
<dt>uri</dt>
|
||||||
<dd>: An absolute URI as defined by<xref target="RFC3986"/>.
|
<dd>: An absolute URI as defined by <xref target="RFC3986"/>.
|
||||||
</dd>
|
</dd>
|
||||||
|
|
||||||
<dt>logid-param</dt>
|
<dt>logid-param</dt>
|
||||||
@@ -612,15 +612,15 @@ issuect "<issuer-domain>; <critical>; <description>; <validfrom>; <validtill>; <
|
|||||||
</ol>
|
</ol>
|
||||||
<t>Whereas</t>
|
<t>Whereas</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>Timestamps are according to<xref target="ISO-8601"/>.
|
<li>Timestamps are according to <xref target="ISO-8601"/>.
|
||||||
</li>
|
</li>
|
||||||
<li>BASE64-encoding is according to<xref target="RFC4648"/>.
|
<li>BASE64-encoding is according to <xref target="RFC4648"/>.
|
||||||
</li>
|
</li>
|
||||||
<li>SHA256-hash is according to<xref target="RFC6234"/>.
|
<li>SHA256-hash is according to <xref target="RFC6234"/>.
|
||||||
</li>
|
</li>
|
||||||
<li>DER-encoding is according to<xref target="X.690"/>.
|
<li>DER-encoding is according to <xref target="X.690"/>.
|
||||||
</li>
|
</li>
|
||||||
<li>ASN.1-format is according to<xref target="X.680"/>.
|
<li>ASN.1-format is according to <xref target="X.680"/>.
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</section>
|
</section>
|
||||||
@@ -792,7 +792,7 @@ issuect ";"
|
|||||||
check for the publication of a relevant RRSet.
|
check for the publication of a relevant RRSet.
|
||||||
Discovery of the relevant RRSet <strong>MUST</strong> be performed according to the algorithm specified in
|
Discovery of the relevant RRSet <strong>MUST</strong> be performed according to the algorithm specified in
|
||||||
<eref target="https://www.rfc-editor.org/rfc/rfc8659#section-3">Section 3</eref>
|
<eref target="https://www.rfc-editor.org/rfc/rfc8659#section-3">Section 3</eref>
|
||||||
of<xref target="RFC8659"/>.
|
of <xref target="RFC8659"/>.
|
||||||
|
|
||||||
If the relevant RRSet is empty or does not contain any <strong>"issuect"</strong> Properties,
|
If the relevant RRSet is empty or does not contain any <strong>"issuect"</strong> Properties,
|
||||||
it is interpreted that the domain owner has not requested any restrictions regarding the submission
|
it is interpreted that the domain owner has not requested any restrictions regarding the submission
|
||||||
@@ -804,7 +804,7 @@ issuect ";"
|
|||||||
|
|
||||||
The presence of an <strong>"issuect"</strong> Property <strong>MUST NOT</strong> replace or supersede
|
The presence of an <strong>"issuect"</strong> Property <strong>MUST NOT</strong> replace or supersede
|
||||||
the required validation of the domain name as specified by the "issue" or "issuewild" Properties in the
|
the required validation of the domain name as specified by the "issue" or "issuewild" Properties in the
|
||||||
CAA RRSet, as outlined in the CAA specification<xref target="RFC8659"/>.
|
CAA RRSet, as outlined in the CAA specification <xref target="RFC8659"/>.
|
||||||
|
|
||||||
Certification Authorities <strong>MUST</strong> still validate authorization according to the CAA
|
Certification Authorities <strong>MUST</strong> still validate authorization according to the CAA
|
||||||
"issue" and / or "issuewild" policies.
|
"issue" and / or "issuewild" policies.
|
||||||
@@ -1277,19 +1277,19 @@ https://caa-ct-sts.<domain>.<tld>/.well-known/caa-ct-sts.txt
|
|||||||
<name>Security Considerations</name>
|
<name>Security Considerations</name>
|
||||||
<t>This extension inherits and adapts security considerations from:</t>
|
<t>This extension inherits and adapts security considerations from:</t>
|
||||||
<ul spacing="normal" empty="false" indent="2" bare="false">
|
<ul spacing="normal" empty="false" indent="2" bare="false">
|
||||||
<li>CAA framework<xref target="RFC8659"/>,
|
<li>CAA framework <xref target="RFC8659"/>,
|
||||||
</li>
|
</li>
|
||||||
<li>CAA Record Extensions for Account URI and (ACME) Binding<xref target="RFC8657"/>,
|
<li>CAA Record Extensions for Account URI and (ACME) Binding <xref target="RFC8657"/>,
|
||||||
</li>
|
</li>
|
||||||
<li>Certificate Transparency Version 2.0.<xref target="RFC9162"/>,
|
<li>Certificate Transparency Version 2.0. <xref target="RFC9162"/>,
|
||||||
</li>
|
</li>
|
||||||
<li>ACME protocol<xref target="RFC8555"/>,
|
<li>ACME protocol <xref target="RFC8555"/>,
|
||||||
</li>
|
</li>
|
||||||
<li>SMTP MTA Strict Transport Security (MTA-STS)<xref target="RFC8461"/>.
|
<li>SMTP MTA Strict Transport Security (MTA-STS) <xref target="RFC8461"/>.
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
<t>As an extension of the DNS-based CAA framework, this proposal generally falls within the
|
<t>As an extension of the DNS-based CAA framework, this proposal generally falls within the
|
||||||
Internet threat model defined by<xref target="RFC3552"/>.
|
Internet threat model defined by <xref target="RFC3552"/>.
|
||||||
</t>
|
</t>
|
||||||
<section>
|
<section>
|
||||||
<name>Global considerations</name>
|
<name>Global considerations</name>
|
||||||
@@ -1685,7 +1685,7 @@ ct_policy: ( "example.ca; \
|
|||||||
</references>
|
</references>
|
||||||
<references>
|
<references>
|
||||||
<name>URI</name>
|
<name>URI</name>
|
||||||
<reference anchor="URI1" target="https://coresecret.dev/msw/draft-weidner-catalog-rr-ext.git">
|
<reference anchor="URI1" target="https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext">
|
||||||
<front>
|
<front>
|
||||||
<title>This document</title>
|
<title>This document</title>
|
||||||
<author/>
|
<author/>
|
||||||
@@ -1863,7 +1863,7 @@ ct_policy: ( "example.ca; \
|
|||||||
Their BIND file notation format is defined in<xref target="RFC1035"/>.
|
Their BIND file notation format is defined in<xref target="RFC1035"/>.
|
||||||
Parentheses are used to ignore a line break in DNS zone-file presentation format, as per
|
Parentheses are used to ignore a line break in DNS zone-file presentation format, as per
|
||||||
<eref target="https://rfc-editor.org/rfc/rfc1035#section-5.1">Section 5.1</eref>
|
<eref target="https://rfc-editor.org/rfc/rfc1035#section-5.1">Section 5.1</eref>
|
||||||
of<xref target="RFC1035"/>.
|
of <xref target="RFC1035"/>.
|
||||||
</t>
|
</t>
|
||||||
</section>
|
</section>
|
||||||
<section anchor="comprehensive_example">
|
<section anchor="comprehensive_example">
|
||||||
|
|||||||
Reference in New Issue
Block a user