<div dir="ltr">As currently required by the Forum, as specified in 6844.<div><br></div><div>Held for document update means just that - a future version of CAA may adjust the processing rules, consistent with the IETF process. It was not rejected - that is, there was sufficient consensus that it wasn't an outright bad idea - but it's not formally adopted.</div><div><br></div><div>However, this does give the Forum something somewhat-stable and reflecting broad-consensus and public participation to consider requiring in the interim, through a subsequent ballot, which would have the effect of 'relaxing' certain provisions of CAA. That is, should a member propose such a ballot, and should the Forum adopt it, this could be integrated - much as we have things such as non-critical nameConstraints to work around since-resolved vendor issues.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 23, 2017 at 5:31 AM, Mads Egil Henriksveen via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi<br>
<br>
What does this mean for us who are in the process of implementing support for CAA?<br>
<br>
Do we implement the CAA processing rules according to this errata or do we need to comply with the current version of RFC6844?<br>
<br>
Regards<br>
Mads<br>
<div class="HOEnZb"><div class="h5"><br>
-----Original Message-----<br>
From: Public [mailto:<a href="mailto:public-bounces@cabforum.org">public-bounces@<wbr>cabforum.org</a>] On Behalf Of Phillip via Public<br>
Sent: tirsdag 22. august 2017 22:15<br>
To: 'CA/Browser Forum Public Discussion List' <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
Subject: [cabfpub] FW: [Errata Held for Document Update] RFC6844 (5065)<br>
<br>
We have held for document update!<br>
<br>
<br>
-----Original Message-----<br>
From: RFC Errata System [mailto:<a href="mailto:rfc-editor@rfc-editor.org">rfc-editor@rfc-editor.<wbr>org</a>]<br>
Sent: Tuesday, August 22, 2017 12:58 PM<br>
To: <a href="mailto:philliph@comodo.com">philliph@comodo.com</a>; <a href="mailto:philliph@comodo.com">philliph@comodo.com</a>; <a href="mailto:rob.stradling@comodo.com">rob.stradling@comodo.com</a><br>
Cc: <a href="mailto:ekr@rtfm.com">ekr@rtfm.com</a>; <a href="mailto:iesg@ietf.org">iesg@ietf.org</a>; <a href="mailto:pkix@ietf.org">pkix@ietf.org</a>; <a href="mailto:rfc-editor@rfc-editor.org">rfc-editor@rfc-editor.org</a><br>
Subject: [Errata Held for Document Update] RFC6844 (5065)<br>
<br>
The following errata report has been held for document update for RFC6844, "DNS Certification Authority Authorization (CAA) Resource Record".<br>
<br>
------------------------------<wbr>--------<br>
You may review the report below and at:<br>
<a href="http://www.rfc-editor.org/errata/eid5065" rel="noreferrer" target="_blank">http://www.rfc-editor.org/<wbr>errata/eid5065</a><br>
<br>
------------------------------<wbr>--------<br>
Status: Held for Document Update<br>
Type: Technical<br>
<br>
Reported by: Phillip Hallam-Baker <<a href="mailto:philliph@comodo.com">philliph@comodo.com</a>> Date Reported: 2017-07-10 Held by: EKR (IESG)<br>
<br>
Section: 4<br>
<br>
Original Text<br>
-------------<br>
Let CAA(X) be the record set returned in response to performing a CAA<br>
record query on the label X, P(X) be the DNS label immediately above<br>
X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME<br>
alias record specified at the label X.<br>
<br>
o If CAA(X) is not empty, R(X) = CAA (X), otherwise<br>
<br>
o If A(X) is not null, and R(A(X)) is not empty, then R(X) =<br>
R(A(X)), otherwise<br>
<br>
o If X is not a top-level domain, then R(X) = R(P(X)), otherwise<br>
<br>
o R(X) is empty.<br>
<br>
Corrected Text<br>
--------------<br>
Let CAA(X) be the record set returned in response to performing a CAA<br>
record query on the label X, P(X) be the DNS label immediately above<br>
X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME<br>
alias record chain specified at the label X.<br>
<br>
o If CAA(X) is not empty, R(X) = CAA (X), otherwise<br>
<br>
o If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =<br>
CAA(A(X)), otherwise<br>
<br>
o If X is not a top-level domain, then R(X) = R(P(X)), otherwise<br>
<br>
o R(X) is empty.<br>
<br>
Thus, when a search at node X returns a CNAME record, the CA will<br>
follow the CNAME record chain to its target. If the target label<br>
contains a CAA record, it is returned.<br>
<br>
?O?therwise, the CA continues the search at<br>
the parent of node X.<br>
<br>
Note that the search does not include the parent of a target of a<br>
CNAME record (except when the CNAME points back to its own path).<br>
<br>
To prevent resource exhaustion attacks, CAs SHOULD limit the length of<br>
CNAME chains that are accepted. However CAs MUST process CNAME<br>
chains that contain 8 or fewer CNAME records.<br>
<br>
Notes<br>
-----<br>
This is the updated errata to replace the ones previously deleted. It has been reviewed by all the parties concerned. Since this is a breaking change, this will have to go to hold for document update. The LAMPS working group is currently considering a more radical re-working of the CAA discovery scheme as a work item for its new charter.<br>
<br>
I will be in Prague to discuss...<br>
<br>
------------------------------<wbr>--------<br>
RFC6844 (draft-ietf-pkix-caa-15)<br>
------------------------------<wbr>--------<br>
Title : DNS Certification Authority Authorization (CAA) Resource Record<br>
Publication Date : January 2013<br>
Author(s) : P. Hallam-Baker, R. Stradling<br>
Category : PROPOSED STANDARD<br>
Source : Public-Key Infrastructure (X.509)<br>
Area : Security<br>
Stream : IETF<br>
Verifying Party : IESG<br>
<br>
______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
</div></div></blockquote></div><br></div>