Technical Summary
The Certification Authority Authorization (CAA) DNS resource record
(RR) provides a mechanism for domains to express the allowed set of
Certification Authorities (CAs) that are authorized to issue
certificates for the domain. RFC 8659 contains the core CAA
specification, where Property Tags that restrict the issuance of
certificates which certify domain names are defined. This
specification defines a Property Tag that grants authorization to CAs
to issue certificates which contain the id-kp-emailProtection key
purpose in the extendedKeyUsage extension and one or more rfc822Name
or otherName of type id-on-SmtpUTF8Mailbox that include the domain
name in the subjectAltName extension.
Working Group Summary
There was little controversy, and suggested improvements were readily
accepted by the author.
Individuals that participate in the CA/Browser Forum have followed the
development of this specification carefully.
Document Quality
Several Certification Authorities have expressed interest in implementing
this specification. The CA/Browser Forum will likely require support for
this specification in their S/MIME Certificate Baseline Requirements.
Personnel
The Document Shepherd for this document is Russ Housley. The Responsible
Area Director is Roman Danyliw.