[cabf_validation] Using 3.2.2.4.2/.3 for future domains

Tim Hollebeek tim.hollebeek at digicert.com
Fri Mar 23 02:55:17 MST 2018


Ah.  That’s fine too.

 

-Tim

 

From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Friday, March 23, 2018 9:31 AM
To: Tim Hollebeek <tim.hollebeek at digicert.com>
Cc: Wayne Thayer <wthayer at mozilla.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>; Peter Bowen <pzb at amzn.com>
Subject: Re: [cabf_validation] Using 3.2.2.4.2/.3 for future domains

 

Note: I was discussing having the CA disclose the validation method used in the certificate. Without this, the CAA tags proposal is simply one half of policy, without a way for affected Subscribers or domain holders to detect misissuance or malfeasance.

 

On Fri, Mar 23, 2018 at 5:04 AM, Tim Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> > wrote:

That’s correct, we remain strongly in favor of allowing domain holders to restrict validation methods.  It’s one of the more important parts of my CAA tags proposal, which unfortunately has gotten at best lukewarm support from other large CAs.

 

-Tim

 

I'm similarly interested in declaring the validation method(s) used, particularly for domain names, which provides a way for the domain holder to validate that the CAA policy is respected. I assume DigiCert's support for this has not waned since the last time it was discussed (in the context of 190)?

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180323/ea3cfec6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180323/ea3cfec6/attachment-0001.p7s>


More information about the Validation mailing list