[cabfpub] Revisiting CAA

Gervase Markham gerv at mozilla.org
Mon May 5 08:55:15 UTC 2014


On 03/05/14 02:14, kirk_hall at trendmicro.com wrote:
> Gerv -- your bug at
> https://bugzilla.mozilla.org/show_bug.cgi?id=882128 shows a LOT of
> activity to try to implement CAA across Mozilla, and it looks like it
> came to an end in Sept. 2013.  Can you give us an update?  Did
> Mozilla complete CAA implementation?  

See previous message.

> If someone in Mozilla wanted to
> buy certs from a NEW CA not already listed in your CAA record(s),
> would that person know how to get it done within Mozilla?

The way we were planning to set it up, to begin with at least, CAA would
only trouble such a person if they wanted a *.mozilla.org certificate.
And I think such a person _should_ be troubled by the difficulty of
getting such a thing issued.

> One other question -- Mozilla has lots of hosted sites.  Is there a
> possibility of incomplete / contradictory CAA records across all
> those sites?

We were planning to do an issuewild record for mozilla.org, to prevent
wildcard certs being issued covering our key sites, and then have
specific CAA records for those key sites only. So this would not be a
problem.

Gerv



More information about the Public mailing list