<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 27, 2016 at 6:33 PM, Jody Cloutier via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Question: If a company has trusted roots, but it does not issue roots to the general public, would it still have to check the CAA database?<br></blockquote><div><br></div><div>I assume you mean "issue certificates"?<br><br></div><div>I'm not sure what you mean by "not issuing to the general public", but I'm concerned about heading back toward the "internal names" exception that we killed not so long ago. <br><br></div><div>--Richard<br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class="im HOEnZb"><br>
-----Original Message-----<br>
From: Public [mailto:<a href="mailto:public-bounces@cabforum.org">public-bounces@<wbr>cabforum.org</a>] On Behalf Of Andrew Ayer via Public<br>
Sent: Tuesday, October 25, 2016 10:32 AM<br>
To: <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>
Subject: Re: [cabfpub] Continuing the discussion on CAA<br>
<br>
</span><div class="HOEnZb"><div class="h5">On Mon, 24 Oct 2016 18:52:06 +0000<br>
Jeremy Rowley via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<br>
<br>
> "CAA records MAY be used by Certificate Evaluators as a possible<br>
> indicator of a security policy violation. Such use SHOULD take<br>
> account of the possibility that published CAA records changed<br>
> between the time a certificate was issued and the time at which the<br>
> certificate was observed by the Certificate Evaluator."<br>
><br>
> I know it says this, but I'm not sure how this would ever happen in<br>
> practice. That seems more like the role of CT over CAA.<br>
<br>
CT finds certificates but doesn't tell you whether a certificate was authorized or not. A CT monitor could check CAA records and raise an alarm if a certificate was issued by an unauthorized CA.<br>
<br>
Regards,<br>
Andrew<br>
______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
</div></div></blockquote></div><br></div></div>