[Servercert-wg] CAA RFC8659 update
Ryan Sleevi
sleevi at google.com
Wed Nov 20 08:21:50 MST 2019
On Wed, Nov 20, 2019 at 5:19 AM Tomas Gustavsson via Servercert-wg <
servercert-wg at cabforum.org> wrote:
>
> Hi,
>
> I just saw that CAA has a new RFC, RFC8659, with updates in particular
> to the tree climbing. The CNAME and DNAME processing was if I remember
> correctly some of the biggest challenges when implementing RFC6844, and
> this is basically gone in RFC8659 (delegated to the CAs resolver to
> follow CNAMES etc).
>
> Current BRs specify RFC6844 with specifics around CNAMEs.
> I could not find any previous discussion on RFC6844 so wondered if there
> has been a discussion on adopting RFC8659?
>
> Adopting this would likely mean implementation changes (while, if CAB
> Forum is not adopting the new RFC I see little point in the RFC update
> at all).
>
Hi Tomas,
Currently, the BRs referenced RFC6844 along with Errata 5065 (see Appendix
A). Functionally, this is what became RFC 8659. RFC 8659 just got published
this morning ( https://tools.ietf.org/html/rfc8659 )
I'm not sure why you didn't find the discussion. This was CA/B Forum Ballot
214 that adopted the Errata, and then went through the IETF process to
update and standardize it.
So we're good to update to reference RFC 8659, and there should be no
functional change for existing CAs complying with the BRs. Of course, they
are welcome and encouraged to review and highlight any concerns, if there
is to be a phase-in transition, but that should not be necessary and it
should just be administrivia.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191120/4ba0cbb9/attachment.html>
More information about the Servercert-wg
mailing list