Comodo: Possible CAA Misissuance due against critical record
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: admin, Assigned: wthayer)
Details
(Whiteboard: [ca-compliance])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763
Steps to reproduce:
I requested for a certificate on domain with configured CAA records set on DNS as follows:
critical.gm32888.pl. 1 IN CAA 128 issue "my.very.own.ca"
critical.gm32888.pl. 1 IN CAA 0 issue "comodoca.com"
Actual results:
I got my certificate issued
Expected results:
As states in CA/B Forum Baseline Requirements (Section 3.2.2.8. CAA Records)
"CAs MUST respect the critical flag and not issue a certificate if they encounter an unrecognized property with this flag set."
In RFC-6844 (Section 2.2. Defined Terms) "property" is specified as:
"Property: The tag-value portion of a CAA Resource Record."
According to this, in my case "property" is "issue my.very.own.ca"
I believe that it's not recognized property for Comodo CA.
It looks like a misissuance or possible mistake in CA\B BR and instead of "property", there should be "property tag" like that:
"CAs MUST respect the critical flag and not issue a certificate if they encounter an unrecognized property tag with this flag set."
|
Assignee | |
Comment 1•5 years ago
|
||
This doesn't look like a misissuance but rather a potential erratum in RFC 6844. I will ask the question on m.d.s.p.
|
||
Comment 2•5 years ago
|
||
I don't believe this is misissuance.
The 'property' here is 'issue', which is recognized and defined. According to the BRs, all CAs must support this property. When constructing the CAA record set, there are two values for the 'issue' property, allowing either CA - comodoca.com or my.very.own.ca - to issue. See https://tools.ietf.org/html/rfc6844#section-5.2
The specified language is to ensure that domains can do something like
critical.gm32888.pl. 1 IN CAA 128 myuniquevalue "anything here it doesn't matter"
will result in the CAA check failing, because 'myuniquevalue' is an unrecognized (and unspecified) property, as per the "Certification Authority Restriction Properties" registry (established in https://tools.ietf.org/html/rfc6844#section-7.2 and maintained at https://www.iana.org/assignments/pkix-parameters/pkix-parameters.xhtml#caa-properties
See also https://tools.ietf.org/html/rfc6844#section-3
Wayne: I think we should just straight Resolved/Invalid this.
|
|
Assignee | |
Comment 3•5 years ago
|
||
I think this is pointing to an error in BR section 3.2.2.8 which states:
CAs MUST respect the critical flag and not issue a certificate if they encounter an unrecognized property with this flag set.
It should state:
CAs MUST respect the critical flag and not issue a certificate if they encounter an unrecognized property tag with this flag set.
|
|
||
Comment 4•5 years ago
|
||
Ah, yes, that's entirely fair (and would align with the aforementioned Section 3)
|
|
Assignee | |
Comment 5•5 years ago
|
||
Sent an email to the CAB Forum Validation list requesting a correction.
Thank you so much for your effort to solve this issue.
It is the only place where in BR is used "property" instead of "property tag", which is significant difference according to the RFC-6844.
As you stated, I think it is truly an error in section 3.2.2.8 BR, because it would be a discrepancy between BR and RFC-6844.
|
||
Updated•2 years ago
|
Description
•