<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.h3
{mso-style-name:h3;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Calibri Light",sans-serif;
color:#1F3763;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:2821999;
mso-list-type:hybrid;
mso-list-template-ids:-1221571974 1544184624 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:16781042;
mso-list-type:hybrid;
mso-list-template-ids:70709546 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2
{mso-list-id:1831945547;
mso-list-type:hybrid;
mso-list-template-ids:1969942638 2094286094 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3
{mso-list-id:2094159328;
mso-list-type:hybrid;
mso-list-template-ids:-1981515254 -1801667526 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l3:level1
{mso-level-number-format:alpha-upper;
mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l3:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l3:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>It is not clear which of us you are responding to.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Let us consider the case proposed:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraph style='margin-left:0in;mso-list:l2 level1 lfo4'>Domain example.com has an issue entry for CA alice.com but no issuewild<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l2 level1 lfo4'>Certificate requested for *.example.com from bob.com<o:p></o:p></li></ul><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>So section 5.3 does not apply. There is no issuewild to take priority. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The request has a wildcard so the requirement to ignore issuewild records for a non wildcard does not apply.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>No issuewild properties are specified. So the second part does not apply.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Peter Bowen [mailto:pzb@amzn.com] <br><b>Sent:</b> Thursday, June 22, 2017 2:59 PM<br><b>To:</b> Phillip <philliph@comodo.com>; CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Cc:</b> ekr@rtfm.com; kathleen.moriarty.ietf@gmail.com<br><b>Subject:</b> Re: "[UNVERIFIED SENDER]Re: [cabfpub] no CAA authorizations -- RFC 6844<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>I believe that this is a misreading, based on section 5.3:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><h3 style='mso-line-height-alt:0pt'><a name=section-5.3></a><a href="https://tools.ietf.org/html/rfc6844#section-5.3"><span style='mso-bookmark:"section-5\.3"'><span style='font-size:10.0pt;font-family:"Courier New";color:black;text-decoration:none'>5.3</span></span><span style='mso-bookmark:"section-5\.3"'></span></a><span style='mso-bookmark:"section-5\.3"'></span><span style='font-size:10.0pt;font-family:"Courier New"'>. CAA issuewild Property<o:p></o:p></span></h3><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre> The issuewild property has the same syntax and semantics as the issue<o:p></o:p></pre><pre> property except that issuewild properties only grant authorization to<o:p></o:p></pre><pre> issue certificates that specify a wildcard domain and issuewild<o:p></o:p></pre><pre> properties take precedence over issue properties when specified.<o:p></o:p></pre><pre> Specifically:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> issuewild properties MUST be ignored when processing a request for<o:p></o:p></pre><pre> a domain that is not a wildcard domain.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> If at least one issuewild property is specified in the relevant<o:p></o:p></pre><pre> CAA record set, all issue properties MUST be ignored when<o:p></o:p></pre><pre> processing a request for a domain that is a wildcard domain.<o:p></o:p></pre><div><p class=MsoNormal><o:p> </o:p></p></div></div><div><p class=MsoNormal>This makes it clear that issue property applies when a wildcard domain is processed unless there is an issuewild property.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal>Peter<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Jun 22, 2017, at 11:46 AM, Phillip via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>It is my understanding that the text as drafted prohibits issue of a<br>wildcard certificate if the record set only contains issue records and issue<br>of a non wildcard certificate if the record set only contains issuewild<br>records.<br><br>My reasoning is as follows:<br><br>The relevant parts of the specification are:<br><br>4. Certification Authority Processing<br><br> Before issuing a certificate, a compliant CA MUST check for<br> publication of a relevant CAA Resource Record set. If such a record<br> set exists, a CA MUST NOT issue a certificate unless the CA<br> determines that either (1) the certificate request is consistent with<br> the applicable CAA Resource Record set or (2) an exception specified<br> in the relevant Certificate Policy or Certification Practices<br> Statement applies.<br><br> A certificate request MAY specify more than one domain name and MAY<br> specify wildcard domains. Issuers MUST verify authorization for all<br> the domains and wildcard domains specified in the request.<br><br>3. The CAA RR Type<br><br> issue <Issuer Domain Name> [; <name>=<value> ]* : The issue property<br> entry authorizes the holder of the domain name <Issuer Domain<br> Name> or a party acting under the explicit authority of the holder<br> of that domain name to issue certificates for the domain in which<br> the property is published.<br><br> issuewild <Issuer Domain Name> [; <name>=<value> ]* : The issuewild<br> property entry authorizes the holder of the domain name <Issuer<br> Domain Name> or a party acting under the explicit authority of the<br> holder of that domain name to issue wildcard certificates for the<br> domain in which the property is published.<br><br><br>Section 4 specifies that the CA MUST NOT issue a certificate unless... 'is<br>consistent'<br><br>If we were to interpret 'is consistent' as meaning that the absence of an<br>authorization record implies authorization than the whole specification<br>becomes meaningless. The argument made that silence on issue permits<br>issuewild would apply just as well to issue. <br><br><br>Proposed resolution:<br><br>I do not believe that the text as written is ambiguous. However, 'out of an<br>abundance of caution and to eliminate any possible doubt, I propose an<br>errata to read as follows:<br><br>Existing text<br><br>4. Certification Authority Processing<br><br> Before issuing a certificate, a compliant CA MUST check for<br> publication of a relevant CAA Resource Record set. If such a record<br> set exists, a CA MUST NOT issue a certificate unless the CA<br> determines that either (1) the certificate request is consistent with<br> the applicable CAA Resource Record set or (2) an exception specified<br> in the relevant Certificate Policy or Certification Practices<br> Statement applies.<br><br>Replacement text<br><br>4. Certification Authority Processing<br><br> Before issuing a certificate, a compliant CA MUST check for<br> publication of a relevant CAA Resource Record set. If such a record<br> set exists, a CA MUST NOT issue a certificate unless the CA<br> determines that either (1) the certificate request is consistent with<br> and explicitly authorized by the applicable CAA Resource Record <br> set or (2) an exception specified in the relevant Certificate Policy <br> or Certification Practices Statement applies.<br><br><br>-----Original Message-----<br>From: Public [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] On Behalf Of philliph---<br>via Public<br>Sent: Thursday, June 22, 2017 10:47 AM<br>To: Gervase Markham <<a href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>>; CA/Browser Forum Public Discussion<br>List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>Subject: Re: [cabfpub] no CAA authorizations -- RFC 6844<br><br>It was certainly the intention that presence of an issue prevents issue of<br>wildcard certs.<br><br>I will re-read that section and report.<br><br>Meanwhile, I have had some comment on the discovery fixup and will rev that.<br><br><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>On Jun 22, 2017, at 8:34 AM, Gervase Markham via Public<o:p></o:p></p></blockquote><p class=MsoNormal><<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><br>On 22/06/17 06:42, y-iida--- via Public wrote:<br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><C> Likewise, when there are some relevant CAA records, but no CAA <br>with "issuewild" property tag at all for a certificate domain, we <br>will issue wildcard certificate for that domain.<o:p></o:p></p></blockquote><p class=MsoNormal><br>You should read RFC6844 carefully, but to my understanding, this is <br>incorrect. If there is an "issue" property but no "issuewild" <br>property, then the "issue" property also controls the issuance of wildcard<o:p></o:p></p></blockquote><p class=MsoNormal>certs.<br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>So you need to respect it in that case.<br><br>Gerv<br><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></blockquote><p class=MsoNormal><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><br><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></body></html>