[cabfpub] CAA "issue" addresses wildcard issuance ? (was: CAA records on opera.com)

=JeffH Jeff.Hodges at KingsMountain.com
Mon Nov 25 18:06:07 UTC 2013

Rob Stradling wrote..
 > You're currently serving an "issue" record and an "issuewild" record,
 > both for "digicert.com".
 > That "issuewild" record is redundant.
 > If there is no "issuewild" record present, the "issue" record(s) are
 > applicable to both non-wildcards and wildcards.

Hi Rob & Phil,

I've been looking through rfc6844 to try to parse out the above assertion 
that if the issuer is the same for both an "issue" record and an "issuewild" 
record, that the "issuewild" record is redundant.

This appears to be implied by section "5.2. CAA issue Property" in rfc6844, 
but not explicitly stated.

Am I missing something in rfc6844 that explicitly states that an "issue" 
record applies to issuance of all types of certs by the stated issuer?

If I am not missing something and others also interpret the spec similarly 
-- i.e., that "issue" alone doesn't apply to wildcard cert issuance -- then 
I'm a bit concerned about CA tooling implementors getting this correct on 
their end.



More information about the Public mailing list