[cabfpub] Results on Ballot 187 - Make CAA Checking Mandatory

Gervase Markham gerv at mozilla.org
Tue Mar 21 08:50:02 UTC 2017


Hi,

On 20/03/17 22:02, y-iida--- via Public wrote:
> New text reads:
>    CAA checking is optional for certificates for which a
>    Certificate Transparency pre-certificate was created and
>    logged in at least two public logs, and for which CAA was
>    checked.
> 
> This ends with ``for which CAA was checked.''  Does it mean
> that CA MUST look up DNS CAA resource records, regardless of CT
> logging?

I don't quite understand the question. The entire point of the ballot is
to make it mandatory (i.e. MUST) in almost all circumstances for CAs to
look up DNS CAA resource records. The text you quote is one of the small
number of exceptions, which basically says you don't have to do it twice
for CT (although you can if you like and it's easier).

Gerv

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170321/4da57388/attachment-0001.sig>


More information about the Public mailing list