[cabfpub] CAA "issue" addresses wildcard issuance ? (was: CAA records on opera.com)
Gervase Markham
gerv at mozilla.org
Tue Nov 26 12:43:34 MST 2013
On 26/11/13 13:49, Phillip Hallam-Baker wrote:
> Remember that CAA records grant permission. The reason that the
> issuewild record was added is that some people said they wanted to
> make issue of wildcard certs more restrictive than issue of
> non-wildcard or enforce a ‘no wildcard certs’ policy.
Which is an incredibly useful feature. Even if your org doesn't yet have
a handle on how many different CAs you use across all your subdomains, a
restrictive issuewild record at the top level allows certain subdomains
who do have their act together to protect themselves without fear of
being bypassed by a wildcard cert for your TLD.
Gerv
More information about the Public
mailing list