[cabfpub] CAA "issue" addresses wildcard issuance ? (was: CAA records on opera.com)
=JeffH
Jeff.Hodges at KingsMountain.com
Mon Nov 25 18:06:07 UTC 2013
Rob Stradling wrote..
>
> You're currently serving an "issue" record and an "issuewild" record,
> both for "digicert.com".
>
> That "issuewild" record is redundant.
>
> If there is no "issuewild" record present, the "issue" record(s) are
> applicable to both non-wildcards and wildcards.
Hi Rob & Phil,
I've been looking through rfc6844 to try to parse out the above assertion
that if the issuer is the same for both an "issue" record and an "issuewild"
record, that the "issuewild" record is redundant.
This appears to be implied by section "5.2. CAA issue Property" in rfc6844,
but not explicitly stated.
Am I missing something in rfc6844 that explicitly states that an "issue"
record applies to issuance of all types of certs by the stated issuer?
If I am not missing something and others also interpret the spec similarly
-- i.e., that "issue" alone doesn't apply to wildcard cert issuance -- then
I'm a bit concerned about CA tooling implementors getting this correct on
their end.
thanks,
=JeffH
More information about the Public
mailing list