[cabfpub] CAA "issue" addresses wildcard issuance ? (was: CAA records on opera.com)

Ryan Sleevi sleevi at google.com
Mon Nov 25 20:29:42 UTC 2013

On Mon, Nov 25, 2013 at 10:06 AM, =JeffH <Jeff.Hodges at kingsmountain.com> wrote:
> Rob Stradling wrote..
>  >
>  > You're currently serving an "issue" record and an "issuewild" record,
>  > both for "digicert.com".
>  >
>  > That "issuewild" record is redundant.
>  >
>  > If there is no "issuewild" record present, the "issue" record(s) are
>  > applicable to both non-wildcards and wildcards.
> Hi Rob & Phil,
> I've been looking through rfc6844 to try to parse out the above assertion
> that if the issuer is the same for both an "issue" record and an "issuewild"
> record, that the "issuewild" record is redundant.
> This appears to be implied by section "5.2. CAA issue Property" in rfc6844,
> but not explicitly stated.
> Am I missing something in rfc6844 that explicitly states that an "issue"
> record applies to issuance of all types of certs by the stated issuer?
> If I am not missing something and others also interpret the spec similarly
> -- i.e., that "issue" alone doesn't apply to wildcard cert issuance -- then
> I'm a bit concerned about CA tooling implementors getting this correct on
> their end.
> thanks,
> =JeffH

I'll point out that this also tripped us up while deploying -  Google
also deployed both issue and issuewild, and Comodo also needed to
point this out.

It's definitely implied by the first paragraph of 5.2, but the
ambiguity in relationship to 5.3 was indeed confusing.

More information about the Public mailing list