[cabfpub] Continuing the discussion on CAA
jeremy.rowley at digicert.com
Mon Oct 24 15:40:24 UTC 2016
Has there been an issuance to a third party that CAA would have prevented?
Since there's no way to ensure compliance with a hard-fail CAA requirement,
will CAA do anything useful? We don't mind CAA as a validation check, but
I'm curious if anyone knows of an issued cert that would have been rejected
if CAA were fully implemented.
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
Markham via Public
Sent: Monday, October 24, 2016 5:38 AM
To: Eneli Kirme <Eneli.Kirme at sk.ee>; public at cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA
On 24/10/16 12:08, Eneli Kirme via Public wrote:
> But consider this scenario: a hypothetical CoolCA approaching a DNS
> service provider, be it an ISP, domain registrar or some kind of
> hosting provider, with a proposal to include a CAA record pointing to
> the CoolCA into their default configuration.
I would expect the DNS service provider to refuse, because otherwise they'll
have a lot of angry customers ringing them up, saying "my CA tells me I
can't have a certificate, and it's your fault".
However, to address this, would it be reasonable to add a clause in the
CAA-related change which said something like: "CAs MUST NOT add (or cause or
request to be added) CAA records to the DNS without the explicit permission
of the domain owner."
Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4964 bytes
Desc: not available
More information about the Public