[cabfpub] Results on Ballot 187 - Make CAA Checking Mandatory

Ryan Sleevi sleevi at google.com
Fri Mar 17 18:02:35 UTC 2017


On Fri, Mar 17, 2017 at 1:51 PM, Rick Andrews <Rick_Andrews at symantec.com>
wrote:

>
>
>
>
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Friday, March 17, 2017 10:42 AM
> *To:* Rick Andrews <Rick_Andrews at symantec.com>
> *Cc:* CA/Browser Forum Public Discussion List <public at cabforum.org>;
> Gervase Markham <gerv at mozilla.org>
> *Subject:* Re: [cabfpub] Results on Ballot 187 - Make CAA Checking
> Mandatory
>
>
>
>
>
>
>
> On Fri, Mar 17, 2017 at 1:34 PM, Rick Andrews <Rick_Andrews at symantec.com>
> wrote:
>
> If the issue or issuewild records indicate that I am permitted to issue
> the cert, it seems excessive to reject because I can't parse the iodef
> record. As a permitted CA, I don't need to do anything with the iodef
> record.
>
>
>
> That's not correct. For example, imagine the issue indicates Symantec, but
> it requests EV only (via a Symantec-defined issuer-parameter), and you
> receive a request a DV. What do you do then?
>
> Symantec has not defined any additional parameters, so this question is
> moot (for me).
>

But it's not moot for relying parties or for browsers, as your
interpretation effectively prevents any assurance of issuer-parameters from
being useful and deployed, even if you do not wish to do so.


>
>
> Similarly, if the Forum introduces issuer-parameters regarding the use of
> 3.2.2.4 validity methods, what then?
>
> The Forum has not defined any parameters yet, so this question is moot.
>
>
>
> For this simple case where there are no additional parameters and I find
> my identifier in an issue or issuewild record, I need not even view an
> iodef record.
>
>
>
> How do others interpret it?
>
>
>
>
> Your intent is probably to catch the error and alert the domain owner, so
> that they can fix it in case a non-authorized CA tries to issue a cert for
> the domain. While I can see the advantage of that, I'm not sure that this
> action was intended by the RFC or Gerv's ballot.
>
> How do others interpret it?
>
> -Rick
>
> From: Ryan Sleevi [mailto:sleevi at google.com]
> Sent: Friday, March 17, 2017 10:26 AM
> To: Rick Andrews <Rick_Andrews at symantec.com>
> Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>;
> Gervase Markham <gerv at mozilla.org>
>
> Subject: Re: [cabfpub] Results on Ballot 187 - Make CAA Checking Mandatory
>
> Fail to issue.
>
> On Fri, Mar 17, 2017 at 1:25 PM, Rick Andrews <Rick_Andrews at symantec.com>
> wrote:
> But what am I supposed to do if I can’t parse the syntax?
>
> From: Ryan Sleevi [mailto:sleevi at google.com]
> Sent: Friday, March 17, 2017 10:22 AM
> To: CA/Browser Forum Public Discussion List <public at cabforum.org>
> Cc: Gervase Markham <gerv at mozilla.org>; Rick Andrews <
> Rick_Andrews at symantec.com>
> Subject: Re: [cabfpub] Results on Ballot 187 - Make CAA Checking Mandatory
>
>
>
> On Fri, Mar 17, 2017 at 1:18 PM, Rick Andrews via Public <
> public at cabforum.org> wrote:
> Gerv, I would suggest simply removing "iodef" from "CAs MUST process the
> issue, issuewild, and iodef property tags". To me, the word "process" means
> to take some kind of action, as we must do with issue and issuewild tags.
> From what others have said, if the iodef record isn't marked critical, I
> can ignore it, and if it is marked critical, I can ignore it as long as I
> recognize it as an iodef record. I wouldn't call that "processing" the
> record.
>
> That's not quite correct. If it's marked critical, you must still
> understand how to parse the syntax, and ensure it is something you actively
> understand, even if you do not report.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170317/d1d523b5/attachment-0003.html>


More information about the Public mailing list