<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">I believe that this is a misreading, based on section 5.3:</div><div class=""><br class=""></div><div class=""><pre class="newpage" style="font-size: 13.3333px; margin-top: 0px; margin-bottom: 0px; break-before: page; font-variant-ligatures: normal; orphans: 2; widows: 2;"><span class="h3" style="line-height: 0pt; display: inline; font-size: 1em; font-weight: bold;"><h3 style="line-height: 0pt; display: inline; font-size: 1em;" class=""><a class="selflink" name="section-5.3" href="https://tools.ietf.org/html/rfc6844#section-5.3" style="color: black; text-decoration: none;">5.3</a>. CAA issuewild Property</h3></span>
The issuewild property has the same syntax and semantics as the issue
property except that issuewild properties only grant authorization to
issue certificates that specify a wildcard domain and issuewild
properties take precedence over issue properties when specified.
Specifically:
issuewild properties MUST be ignored when processing a request for
a domain that is not a wildcard domain.
If at least one issuewild property is specified in the relevant
CAA record set, all issue properties MUST be ignored when
processing a request for a domain that is a wildcard domain.</pre><div class=""><br class=""></div></div><div class="">This makes it clear that issue property applies when a wildcard domain is processed unless there is an issuewild property.</div><div class=""><br class=""></div><div class="">Thanks,</div><div class="">Peter</div><br class=""><div><blockquote type="cite" class=""><div class="">On Jun 22, 2017, at 11:46 AM, Phillip via Public <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">It is my understanding that the text as drafted prohibits issue of a<br class="">wildcard certificate if the record set only contains issue records and issue<br class="">of a non wildcard certificate if the record set only contains issuewild<br class="">records.<br class=""><br class="">My reasoning is as follows:<br class=""><br class="">The relevant parts of the specification are:<br class=""><br class="">4. Certification Authority Processing<br class=""><br class=""> Before issuing a certificate, a compliant CA MUST check for<br class=""> publication of a relevant CAA Resource Record set. If such a record<br class=""> set exists, a CA MUST NOT issue a certificate unless the CA<br class=""> determines that either (1) the certificate request is consistent with<br class=""> the applicable CAA Resource Record set or (2) an exception specified<br class=""> in the relevant Certificate Policy or Certification Practices<br class=""> Statement applies.<br class=""><br class=""> A certificate request MAY specify more than one domain name and MAY<br class=""> specify wildcard domains. Issuers MUST verify authorization for all<br class=""> the domains and wildcard domains specified in the request.<br class=""><br class="">3. The CAA RR Type<br class=""><br class=""> issue <Issuer Domain Name> [; <name>=<value> ]* : The issue property<br class=""> entry authorizes the holder of the domain name <Issuer Domain<br class=""> Name> or a party acting under the explicit authority of the holder<br class=""> of that domain name to issue certificates for the domain in which<br class=""> the property is published.<br class=""><br class=""> issuewild <Issuer Domain Name> [; <name>=<value> ]* : The issuewild<br class=""> property entry authorizes the holder of the domain name <Issuer<br class=""> Domain Name> or a party acting under the explicit authority of the<br class=""> holder of that domain name to issue wildcard certificates for the<br class=""> domain in which the property is published.<br class=""><br class=""><br class="">Section 4 specifies that the CA MUST NOT issue a certificate unless... 'is<br class="">consistent'<br class=""><br class="">If we were to interpret 'is consistent' as meaning that the absence of an<br class="">authorization record implies authorization than the whole specification<br class="">becomes meaningless. The argument made that silence on issue permits<br class="">issuewild would apply just as well to issue. <br class=""><br class=""><br class="">Proposed resolution:<br class=""><br class="">I do not believe that the text as written is ambiguous. However, 'out of an<br class="">abundance of caution and to eliminate any possible doubt, I propose an<br class="">errata to read as follows:<br class=""><br class="">Existing text<br class=""><br class="">4. Certification Authority Processing<br class=""><br class=""> Before issuing a certificate, a compliant CA MUST check for<br class=""> publication of a relevant CAA Resource Record set. If such a record<br class=""> set exists, a CA MUST NOT issue a certificate unless the CA<br class=""> determines that either (1) the certificate request is consistent with<br class=""> the applicable CAA Resource Record set or (2) an exception specified<br class=""> in the relevant Certificate Policy or Certification Practices<br class=""> Statement applies.<br class=""><br class="">Replacement text<br class=""><br class="">4. Certification Authority Processing<br class=""><br class=""> Before issuing a certificate, a compliant CA MUST check for<br class=""> publication of a relevant CAA Resource Record set. If such a record<br class=""> set exists, a CA MUST NOT issue a certificate unless the CA<br class=""> determines that either (1) the certificate request is consistent with<br class=""> and explicitly authorized by the applicable CAA Resource Record <br class=""> set or (2) an exception specified in the relevant Certificate Policy <br class=""> or Certification Practices Statement applies.<br class=""><br class=""><br class="">-----Original Message-----<br class="">From: Public [<a href="mailto:public-bounces@cabforum.org" class="">mailto:public-bounces@cabforum.org</a>] On Behalf Of philliph---<br class="">via Public<br class="">Sent: Thursday, June 22, 2017 10:47 AM<br class="">To: Gervase Markham <<a href="mailto:gerv@mozilla.org" class="">gerv@mozilla.org</a>>; CA/Browser Forum Public Discussion<br class="">List <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>><br class="">Subject: Re: [cabfpub] no CAA authorizations -- RFC 6844<br class=""><br class="">It was certainly the intention that presence of an issue prevents issue of<br class="">wildcard certs.<br class=""><br class="">I will re-read that section and report.<br class=""><br class="">Meanwhile, I have had some comment on the discovery fixup and will rev that.<br class=""><br class=""><br class=""><blockquote type="cite" class="">On Jun 22, 2017, at 8:34 AM, Gervase Markham via Public<br class=""></blockquote><<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:<br class=""><blockquote type="cite" class=""><br class="">On 22/06/17 06:42, y-iida--- via Public wrote:<br class=""><blockquote type="cite" class=""><C> Likewise, when there are some relevant CAA records, but no CAA <br class="">with "issuewild" property tag at all for a certificate domain, we <br class="">will issue wildcard certificate for that domain.<br class=""></blockquote><br class="">You should read RFC6844 carefully, but to my understanding, this is <br class="">incorrect. If there is an "issue" property but no "issuewild" <br class="">property, then the "issue" property also controls the issuance of wildcard<br class=""></blockquote>certs.<br class=""><blockquote type="cite" class="">So you need to respect it in that case.<br class=""><br class="">Gerv<br class=""><br class="">_______________________________________________<br class="">Public mailing list<br class=""><a href="mailto:Public@cabforum.org" class="">Public@cabforum.org</a><br class="">https://cabforum.org/mailman/listinfo/public<br class=""></blockquote><br class="">_______________________________________________<br class="">Public mailing list<br class=""><a href="mailto:Public@cabforum.org" class="">Public@cabforum.org</a><br class="">https://cabforum.org/mailman/listinfo/public<br class=""><br class="">_______________________________________________<br class="">Public mailing list<br class="">Public@cabforum.org<br class="">https://cabforum.org/mailman/listinfo/public<br class=""></div></div></blockquote></div><br class=""></body></html>