[cabfpub] Ballot 187 - Make CAA Checking Mandatory

Gervase Markham gerv at mozilla.org
Wed Mar 1 15:50:30 UTC 2017


On 23/02/17 17:36, Dimitris Zacharopoulos wrote:
> Just a short comment on the following statement:
> 
> "CAA checking is optional for certificates issued by an Technically
> Constrained Subordinate CA Certificate as set out in Baseline
> Requirements section 7.1.5, where the lack of CAA checking is an
> explicit contractual provision in the contract with the Applicant".
> 
> As we have discussed several times, Certificates are not issued by
> Certificates so it would be more accurate to re-use some language of the
> BRs around TC SubCAs and say:
> 
> "CAA checking is optional for certificates issued by a Technically
> Constrained Subordinate CA in line with Section 7.1.5, where the lack of
> CAA checking is an explicit contractual provision in the contract with
> the Applicant".

I am now confused by this, because your proposed change removes the term
"Subordinate CA Certificate", which is defined in your updated language
in ballot 188, and replaces it with "Subordinate CA", which is not defined.

Your ballot defines:

"Subordinate CA Certificate: A CA Certificate that has been signed by
the Private Key associated with a Root CA Certificate or a different
Subordinate CA Certificate."

That seems right to me. So I am rejecting this proposed minor change. If
an update to the language is needed, we can make it in whatever ballot
ends up being passed to fix the issues people are finding with 188.

Gerv



More information about the Public mailing list