[cabfpub] Ballot 187 - Make CAA Checking Mandatory

Gervase Markham gerv at mozilla.org
Sat Feb 25 01:25:44 UTC 2017

On 24/02/17 12:36, Ryan Sleevi wrote:
> My belief and support is that the intent of "operated by the CA or an
> Affiliate of the CA" was to match the terminology from RFC 7719, which
> would specifically mean the interpetation (b), and the answer to the
> hypothetical question is "No, demonstration of control of a record is
> not sufficient, demonstration of operation of the authoritative name
> servers is"
> Is that consistent with the intent Gerv? If so, does that look like
> something you see as easy to correct? I'm wondering whether introducing
> RFC 7719 as the normative dependency might provide better clarity to
> this question. 

Yes, I think this is what I mean, and using the terminology from RFC
7719 seems sensible. Consider the relevant bullet changed to:

* CAA checking is optional if the CA or an Affiliate of the CA is the
DNS Operator (as defined in RFC 7719) of the domain's DNS

"RFC 7719" would be a link.


More information about the Public mailing list