<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.m-8519281859203594463h3
{mso-style-name:m_-8519281859203594463h3;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Calibri Light",sans-serif;
color:#1F3763;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>I am pretty sure that Peter and myself only diverged in our interpretation of the original proposal from Iida. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I had not considered the case that alice.com is explicitly authorized but only for issue. We did in fact have a lot of discussion on the list about this when issuewild was proposed. We certainly did not want the addition of issuewild to require everyone to publish records for both but some people did want to specify separate semantics for both.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I will thus amend my earlier post to read:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>It is my understanding that the text as drafted prohibits issue of a wildcard certificate by any CA if the record set only contains issue records and issue of a non wildcard certificate if the record set only contains issuewild records.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I do not think that this actually changes the proposed errata since 5.3 applies regardless.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>From:</b> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Thursday, June 22, 2017 3:57 PM<br><b>To:</b> Peter Bowen <pzb@amzn.com>; CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Cc:</b> Phillip <philliph@comodo.com><br><b>Subject:</b> Re: [cabfpub] "[UNVERIFIED SENDER]Re: no CAA authorizations -- RFC 6844<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>This is consistent with the deployed reality, so I similarly concur with Peter's view and believe that Phillip's understanding may be a misunderstanding of the text. Certainly, it would be a breaking change for deployments to adopt the proposed interpretation, and for that reason, would be very concerning.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Thu, Jun 22, 2017 at 2:59 PM, Peter Bowen via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal>I believe that this is a misreading, based on section 5.3:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><h3 style='mso-line-height-alt:0pt'><a name="m_-8519281859203594463_section-5.3"></a><a href="https://tools.ietf.org/html/rfc6844#section-5.3" target="_blank"><span style='mso-bookmark:"m_-8519281859203594463_section-5\.3"'><span style='font-size:10.0pt;font-family:"Courier New";color:black;text-decoration:none'>5.3</span></span><span style='mso-bookmark:"m_-8519281859203594463_section-5\.3"'></span></a><span style='mso-bookmark:"m_-8519281859203594463_section-5\.3"'></span><span style='font-size:10.0pt;font-family:"Courier New"'>. CAA issuewild Property<o:p></o:p></span></h3><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre> The issuewild property has the same syntax and semantics as the issue<o:p></o:p></pre><pre> property except that issuewild properties only grant authorization to<o:p></o:p></pre><pre> issue certificates that specify a wildcard domain and issuewild<o:p></o:p></pre><pre> properties take precedence over issue properties when specified.<o:p></o:p></pre><pre> Specifically:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> issuewild properties MUST be ignored when processing a request for<o:p></o:p></pre><pre> a domain that is not a wildcard domain.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> If at least one issuewild property is specified in the relevant<o:p></o:p></pre><pre> CAA record set, all issue properties MUST be ignored when<o:p></o:p></pre><pre> processing a request for a domain that is a wildcard domain.<o:p></o:p></pre><div><p class=MsoNormal><o:p> </o:p></p></div></div><div><p class=MsoNormal>This makes it clear that issue property applies when a wildcard domain is processed unless there is an issuewild property.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal>Peter<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Jun 22, 2017, at 11:46 AM, Phillip via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>It is my understanding that the text as drafted prohibits issue of a<br>wildcard certificate if the record set only contains issue records and issue<br>of a non wildcard certificate if the record set only contains issuewild<br>records.<br><br>My reasoning is as follows:<br><br>The relevant parts of the specification are:<br><br>4. Certification Authority Processing<br><br> Before issuing a certificate, a compliant CA MUST check for<br> publication of a relevant CAA Resource Record set. If such a record<br> set exists, a CA MUST NOT issue a certificate unless the CA<br> determines that either (1) the certificate request is consistent with<br> the applicable CAA Resource Record set or (2) an exception specified<br> in the relevant Certificate Policy or Certification Practices<br> Statement applies.<br><br> A certificate request MAY specify more than one domain name and MAY<br> specify wildcard domains. Issuers MUST verify authorization for all<br> the domains and wildcard domains specified in the request.<br><br>3. The CAA RR Type<br><br> issue <Issuer Domain Name> [; <name>=<value> ]* : The issue property<br> entry authorizes the holder of the domain name <Issuer Domain<br> Name> or a party acting under the explicit authority of the holder<br> of that domain name to issue certificates for the domain in which<br> the property is published.<br><br> issuewild <Issuer Domain Name> [; <name>=<value> ]* : The issuewild<br> property entry authorizes the holder of the domain name <Issuer<br> Domain Name> or a party acting under the explicit authority of the<br> holder of that domain name to issue wildcard certificates for the<br> domain in which the property is published.<br><br><br>Section 4 specifies that the CA MUST NOT issue a certificate unless... 'is<br>consistent'<br><br>If we were to interpret 'is consistent' as meaning that the absence of an<br>authorization record implies authorization than the whole specification<br>becomes meaningless. The argument made that silence on issue permits<br>issuewild would apply just as well to issue. <br><br><br>Proposed resolution:<br><br>I do not believe that the text as written is ambiguous. However, 'out of an<br>abundance of caution and to eliminate any possible doubt, I propose an<br>errata to read as follows:<br><br>Existing text<br><br>4. Certification Authority Processing<br><br> Before issuing a certificate, a compliant CA MUST check for<br> publication of a relevant CAA Resource Record set. If such a record<br> set exists, a CA MUST NOT issue a certificate unless the CA<br> determines that either (1) the certificate request is consistent with<br> the applicable CAA Resource Record set or (2) an exception specified<br> in the relevant Certificate Policy or Certification Practices<br> Statement applies.<br><br>Replacement text<br><br>4. Certification Authority Processing<br><br> Before issuing a certificate, a compliant CA MUST check for<br> publication of a relevant CAA Resource Record set. If such a record<br> set exists, a CA MUST NOT issue a certificate unless the CA<br> determines that either (1) the certificate request is consistent with<br> and explicitly authorized by the applicable CAA Resource Record <br> set or (2) an exception specified in the relevant Certificate Policy <br> or Certification Practices Statement applies.<br><br><br>-----Original Message-----<br>From: Public [<a href="mailto:public-bounces@cabforum.org" target="_blank">mailto:public-bounces@cabforum.org</a>] On Behalf Of philliph---<br>via Public<br>Sent: Thursday, June 22, 2017 10:47 AM<br>To: Gervase Markham <<a href="mailto:gerv@mozilla.org" target="_blank">gerv@mozilla.org</a>>; CA/Browser Forum Public Discussion<br>List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br>Subject: Re: [cabfpub] no CAA authorizations -- RFC 6844<br><br>It was certainly the intention that presence of an issue prevents issue of<br>wildcard certs.<br><br>I will re-read that section and report.<br><br>Meanwhile, I have had some comment on the discovery fixup and will rev that.<br><br><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>On Jun 22, 2017, at 8:34 AM, Gervase Markham via Public<o:p></o:p></p></blockquote><p class=MsoNormal><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><br>On 22/06/17 06:42, y-iida--- via Public wrote:<br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><C> Likewise, when there are some relevant CAA records, but no CAA <br>with "issuewild" property tag at all for a certificate domain, we <br>will issue wildcard certificate for that domain.<o:p></o:p></p></blockquote><p class=MsoNormal><br>You should read RFC6844 carefully, but to my understanding, this is <br>incorrect. If there is an "issue" property but no "issuewild" <br>property, then the "issue" property also controls the issuance of wildcard<o:p></o:p></p></blockquote><p class=MsoNormal>certs.<br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>So you need to respect it in that case.<br><br>Gerv<br><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></blockquote><p class=MsoNormal><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>