[cabfpub] CAA "issue" addresses wildcard issuance ? (was: CAA, records on opera.com)

=JeffH Jeff.Hodges at KingsMountain.com
Wed Nov 27 20:29:37 UTC 2013

Hey guys, thanks for looking into this.

 > But perhaps it would've been useful if Section 5.2 had explicitly said
 > something like:
 >    "The issue property always applies to non-wildcard domains.  Also,
 > except where noted in Section 5.3, the issue property also applies to
 > wildcard domains".

agreed, such an explicit statement will largely resolve the lack of clarity, 
it seems to me.

Editorial comments on the above:

   s/where noted/as noted/

   s/the issue property also applies/the issue property applies/
   (there's already an "also" at the beginning of the 2nd sentence)

On 26/11/13 13:49, Phillip Hallam-Baker wrote:
 > Remember that CAA records grant permission. The reason that the
 > issuewild record was added is that some people said they wanted to
 > make issue of wildcard certs more restrictive than issue of
 > non-wildcard or enforce a ‘no wildcard certs’ policy.

Hm, this is a subtle-but-important feature it seems.

So it seems you are referring to a CAA policy config like so..

    $ORIGIN example.com
    .       CAA 0 issue "ca.example.net"
    .       CAA 0 issuewild ";"

..which says that ca.example.net may issue non-wildcard certs for 
example.com, but no one is allowed to wildcard certs for example.com, yes?

I suppose this comprises another comment on RFC6844 in that having such an 
example in the spec would be useful.

Gerv wrote:
 > Which is an incredibly useful feature. Even if your org doesn't yet have
 > a handle on how many different CAs you use across all your subdomains,a
 > restrictive issuewild record at the top level allows certain subdomains
 > who do have their act together to protect themselves without fear of
 > being bypassed by a wildcard cert for your TLD.

This is another subtle-but-important thing to explore it seems..

If I understand correctly, you're implying a CAA policy config like so..

    $ORIGIN example.com
    .       CAA 0 issuewild ";"

    $ORIGIN subdomain1.example.com
    .       CAA 0 issue "ca.example.net"

    $ORIGIN subdomain2.example.com
    .       CAA 0 issue "ca.example.net"
    .       CAA 0 issuewild ";"

..where the desire is that ca.example.net can issue regular or wildcard 
certs for subdomain1.example.com (i.e., *.subdomain1.example.com), but 
no-one can issue wildcard certs for *.example.com.

Also, ca.example.net can issue only non-wildcard certs for 


If correct, such examples would be also useful to have in the spec.



More information about the Public mailing list