Closed Bug 1532313 Opened 7 months ago Closed 7 months ago

Comodo: Possible CAA Misissuance due against critical record

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: admin, Assigned: wayne)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763

Steps to reproduce:

I requested for a certificate on domain with configured CAA records set on DNS as follows:

critical.gm32888.pl. 1 IN CAA 128 issue "my.very.own.ca"
critical.gm32888.pl. 1 IN CAA 0 issue "comodoca.com"

Actual results:

I got my certificate issued

https://crt.sh/?id=1253875270

Expected results:

As states in CA/B Forum Baseline Requirements (Section 3.2.2.8. CAA Records)
"CAs MUST respect the critical flag and not issue a certificate if they encounter an unrecognized property with this flag set."
In RFC-6844 (Section 2.2. Defined Terms) "property" is specified as:
"Property: The tag-value portion of a CAA Resource Record."

According to this, in my case "property" is "issue my.very.own.ca"
I believe that it's not recognized property for Comodo CA.

It looks like a misissuance or possible mistake in CA\B BR and instead of "property", there should be "property tag" like that:
"CAs MUST respect the critical flag and not issue a certificate if they encounter an unrecognized property tag with this flag set."

This doesn't look like a misissuance but rather a potential erratum in RFC 6844. I will ask the question on m.d.s.p.

QA Contact: kwilson → wthayer
Whiteboard: [ca-compliance]

I don't believe this is misissuance.

The 'property' here is 'issue', which is recognized and defined. According to the BRs, all CAs must support this property. When constructing the CAA record set, there are two values for the 'issue' property, allowing either CA - comodoca.com or my.very.own.ca - to issue. See https://tools.ietf.org/html/rfc6844#section-5.2

The specified language is to ensure that domains can do something like

critical.gm32888.pl. 1 IN CAA 128 myuniquevalue "anything here it doesn't matter"

will result in the CAA check failing, because 'myuniquevalue' is an unrecognized (and unspecified) property, as per the "Certification Authority Restriction Properties" registry (established in https://tools.ietf.org/html/rfc6844#section-7.2 and maintained at https://www.iana.org/assignments/pkix-parameters/pkix-parameters.xhtml#caa-properties

See also https://tools.ietf.org/html/rfc6844#section-3

Wayne: I think we should just straight Resolved/Invalid this.

I think this is pointing to an error in BR section 3.2.2.8 which states:

CAs MUST respect the critical flag and not issue a certificate if they encounter an unrecognized property with this flag set.

It should state:

CAs MUST respect the critical flag and not issue a certificate if they encounter an unrecognized property tag with this flag set.

Ah, yes, that's entirely fair (and would align with the aforementioned Section 3)

Sent an email to the CAB Forum Validation list requesting a correction.

Status: UNCONFIRMED → RESOLVED
Closed: 7 months ago
Resolution: --- → INVALID

Thank you so much for your effort to solve this issue.

It is the only place where in BR is used "property" instead of "property tag", which is significant difference according to the RFC-6844.

As you stated, I think it is truly an error in section 3.2.2.8 BR, because it would be a discrepancy between BR and RFC-6844.

You need to log in before you can comment on or make changes to this bug.