<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><meta http-equiv="Content-Type" content="text/html charset=us-ascii" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Looking at the current situation, I am thinking that the fixup ballot to the fixup ballot should assume 214 fails and be worded as follows:<div class=""><br class=""><div class=""><br class=""></div><div class=""><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class="">In the Baseline Requirements v1.4.9 Section 3.2.2.8. CAA Records</span><br style="font-family: 'Times New Roman', serif; font-size: 16px;" class=""><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class=""> </span><br style="font-family: 'Times New Roman', serif; font-size: 16px;" class=""><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class="">Strike:</span><br style="font-family: 'Times New Roman', serif; font-size: 16px;" class=""><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class=""> </span><br style="font-family: 'Times New Roman', serif; font-size: 16px;" class=""><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class="">As part of the issuance process, the CA MUST check for a CAA record for each dNSName in the subjectAltName extension of the certificate to be issued, according to the procedure in RFC 6844, following the processing instructions set down in RFC 6844 for any records found. If the CA issues, they MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.</span><br style="font-family: 'Times New Roman', serif; font-size: 16px;" class=""><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class=""> </span><br style="font-family: 'Times New Roman', serif; font-size: 16px;" class=""><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class="">Replace with:</span><br style="font-family: 'Times New Roman', serif; font-size: 16px;" class=""><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class=""> </span></div><div class=""><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class="">With effect until </span><span style="font-family: 'Times New Roman', serif; font-size: inherit;" class="">XXth YYYY 2018, </span></div><div class=""><span style="font-family: 'Times New Roman', serif; font-size: inherit;" class=""><br class=""></span></div><div class=""><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class="">As part of the issuance process, the CA MUST check for CAA records and follow the processing instructions for any records found, for each dNSName in the subjectAltName extension of the certificate to be issued, as specified in either</span><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class=""> </span><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class="">RFC 6844 or </span><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class="">RFC 6844 as amended by Errata 5065 (Appendix A). If the CA issues, they MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.</span></div><div class=""><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class=""><br class=""></span></div><div class=""><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class="">With effect after </span><span style="font-family: 'Times New Roman', serif; font-size: inherit;" class="">YYYY 2018:</span></div><div class=""><span style="font-family: 'Times New Roman', serif; font-size: inherit;" class=""><br class=""></span></div><div class=""><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class="">As part of the issuance process, the CA MUST check for CAA records and follow the processing instructions for any records found, for each dNSName in the subjectAltName extension of the certificate to be issued, as specified in RFC 6844 as amended by Errata 5065 (Appendix A). If the CA issues, they MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.</span></div><div class=""><br class=""></div></div><div class=""><span style="font-family: 'Times New Roman', serif; font-size: inherit;" class=""><br class=""></span></div><div class=""><span style="font-family: 'Times New Roman', serif; font-size: inherit;" class=""><br class=""></span></div><div class=""><span style="font-family: 'Times New Roman', serif; font-size: 16px;" class=""> </span><span style="font-family: 'Times New Roman', serif; font-size: inherit;" class=""> </span></div><div class=""><font face="Times New Roman, serif" size="3" class=""><br class=""></font></div></div></body></html>