DNS Certification Authority Authorization (CAA) Resource Record
Draft of message to be sent after approval:
From: The IESG <email@example.com> To: IETF-Announce <firstname.lastname@example.org> Cc: RFC Editor <email@example.com>, pkix mailing list <firstname.lastname@example.org>, pkix chair <email@example.com> Subject: Protocol Action: 'DNS Certification Authority Authorization (CAA) Resource Record' to Proposed Standard (draft-ietf-pkix-caa-15.txt) The IESG has approved the following document: - 'DNS Certification Authority Authorization (CAA) Resource Record' (draft-ietf-pkix-caa-15.txt) as Proposed Standard This document is the product of the Public-Key Infrastructure (X.509) Working Group. The IESG contact persons are Sean Turner and Stephen Farrell. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-pkix-caa/
Technical Summary The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities authorized to issue certificates for that domain. CAA resource records allow a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue. Working Group Summary This document might have been pursued in other WGs, specifically DNSEXT, since it specifies a new DNS record type. It also might have been pursued in DANE, but the focus of DANE is sufficiently different that it is probably not a good fit there. Because the document specifies a DNS record type, for use with PKI technology, PKIX was reasonable choice for the authors. There was some controversy initially, but that went away over time. Document Quality I am not aware of any existing implementations of the protocol, but both authors work for a company that is represented by a trust anchor in browsers and operating systems, and thus it is likely that their organization will support this proposal via an implementation. Personnel Steve Kent is the Document Shepherd. Sean Turner the Responsible Area Director.