<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:445857577;
mso-list-template-ids:-2018842862;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>That was the intended semantics.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If only issue records were specified, they govern regular and wildcard.<o:p></o:p></p><p class=MsoNormal>If any wildcard is specified, it has no effect for a non wildcard request but governs any wildcard request.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thus if the records are <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Courier New";color:black'> $ORIGIN example.com<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Courier New";color:black'> . CAA 0 issue "alice.com"<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Then <o:p></o:p></p><p class=MsoNormal> alice.com may issue a cert for example.com or *.example.com<o:p></o:p></p><p class=MsoNormal> bob.com, carol.com may not issue any cert at all.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If however, the records are<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Courier New";color:black'> $ORIGIN example.com<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Courier New";color:black'> . CAA 0 issue "alice.com"<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Courier New";color:black'> . CAA 0 issuewild "bob.com"<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Then <o:p></o:p></p><p class=MsoNormal> alice.com may issue a cert for example.com BUT NOT *.example.com<o:p></o:p></p><p class=MsoNormal> bob.com, may issue a cert for *.example.com BUT NOT example.com<o:p></o:p></p><p class=MsoNormal> carol.com may not issue any cert at all.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The reason for this approach was that very few domains want to have separate rules for wildcard and regular certs. Those that do will normally want the issue of wildcard to be more restrictive. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Peter Bowen [mailto:pzb@amzn.com] <br><b>Sent:</b> Thursday, June 22, 2017 3:37 PM<br><b>To:</b> Phillip <philliph@comodo.com><br><b>Cc:</b> CA/Browser Forum Public Discussion List <public@cabforum.org>; ekr@rtfm.com; kathleen.moriarty.ietf@gmail.com<br><b>Subject:</b> Re: "[UNVERIFIED SENDER]Re: [cabfpub] no CAA authorizations -- RFC 6844<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Jun 22, 2017, at 12:31 PM, Phillip <<a href="mailto:philliph@comodo.com">philliph@comodo.com</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>It is not clear which of us you are responding to.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>Let us consider the case proposed:<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><ul style='margin-top:0in' type=disc><li class=MsoNormal style='margin-left:0in;mso-list:l0 level1 lfo1'>Domain<span class=apple-converted-space> </span><a href="http://example.com/"><span style='color:purple'>example.com</span></a><span class=apple-converted-space> </span>has an issue entry for CA<span class=apple-converted-space> </span><a href="http://alice.com/"><span style='color:purple'>alice.com</span></a><span class=apple-converted-space> </span>but no issuewild<o:p></o:p></li><li class=MsoNormal style='margin-left:0in;mso-list:l0 level1 lfo1'>Certificate requested for *.<a href="http://example.com/"><span style='color:purple'>example.com</span></a><span class=apple-converted-space> </span>from<span class=apple-converted-space> </span><a href="http://bob.com/"><span style='color:purple'>bob.com</span></a><o:p></o:p></li></ul><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>So section 5.3 does not apply. There is no issuewild to take priority.<span class=apple-converted-space> </span><o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>The request has a wildcard so the requirement to ignore issuewild records for a non wildcard does not apply.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>No issuewild properties are specified. So the second part does not apply.<o:p></o:p></p></div></div></blockquote><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Agreed.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>However a certificate requested for *.<a href="http://example.com">example.com</a> from <a href="http://alice.com">alice.com</a> would be allowed to issue with the records you show in your example.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal>Peter<o:p></o:p></p></div></div></body></html>