[cabfpub] Ballot 187 - Make CAA Checking Mandatory
Gervase Markham
gerv at mozilla.org
Sat Feb 25 01:25:44 UTC 2017
On 24/02/17 12:36, Ryan Sleevi wrote:
> My belief and support is that the intent of "operated by the CA or an
> Affiliate of the CA" was to match the terminology from RFC 7719, which
> would specifically mean the interpetation (b), and the answer to the
> hypothetical question is "No, demonstration of control of a record is
> not sufficient, demonstration of operation of the authoritative name
> servers is"
>
> Is that consistent with the intent Gerv? If so, does that look like
> something you see as easy to correct? I'm wondering whether introducing
> RFC 7719 as the normative dependency might provide better clarity to
> this question.
Yes, I think this is what I mean, and using the terminology from RFC
7719 seems sensible. Consider the relevant bullet changed to:
* CAA checking is optional if the CA or an Affiliate of the CA is the
DNS Operator (as defined in RFC 7719) of the domain's DNS
"RFC 7719" would be a link.
Gerv
More information about the Public
mailing list