[cabfpub] Preballot for IPv6 Support
Ryan Sleevi
sleevi at google.com
Thu Feb 19 20:11:27 UTC 2015
Good point. What good is server a AAAA record from a DNS server that
doesn't listen on IPv6
On Thu, Feb 19, 2015 at 11:25 AM, Rick Andrews
<Rick_Andrews at symantec.com> wrote:
> Ryan,
>
> It seems to me we need to add one more detail: it must be possible to make the lookups to the authoritative resolver (DNS) over IPv4 and IPv6. A client running on an IPv6-only network will first make a DNS call to get the AAAA record for the CA's OCSP or CRL service. So the CA needs to make sure that those DNS lookups can be served via IPv6.
>
> -Rick
>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Wayne Thayer
> Sent: Thursday, February 19, 2015 8:54 AM
> To: CABFPub
> Subject: Re: [cabfpub] Preballot for IPv6 Support
>
> Ryan,
>
> We didn't find any blockers that prevent GoDaddy from enabling support for IPv6. Like other CAs, we also don't see any demand for it today, but I agree that this is a collective action problem and CAs need to remove certificate validation from the list of problems that are blocking other parties from moving to IPv6. GoDaddy supports this ballot and I would be happy to endorse.
>
> Thanks,
>
> Wayne
>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
> Sent: Wednesday, February 18, 2015 3:01 PM
> To: CABFPub
> Subject: Re: [cabfpub] Preballot for IPv6 Support
>
> In advance of tomorrow's call, I'd like to bring forward this pre-ballot again
>
> ---MOTION BEGINS---
>
> Update Section 13.2.1 of the Baseline Requirements as follows:
>
> From:
> "The CA SHALL make revocation information for Subordinate Certificates and Subscriber Certificates available in accordance with Appendix B."
>
> To:
>
> "The CA SHALL make revocation information for Subordinate Certificates and Subscriber Certificates available in accordance with Appendix B.
>
> Effective March 1, 2016, the CA SHALL make this information available via both IPv4 and IPv6. For each DNS host included in accordance with Appendix B, lookups to the authoritative resolver MUST return valid A records if A records are requested and valid AAAA records if AAAA records are requested."
>
> Update Appendix B, Section 2(b) of the Baseline Requirements as follows:
>
> From:
> "This extension MUST be present and MUST NOT be marked critical. It MUST contain the HTTP URL of the CA’s CRL service."
>
> To:
> "This extension MUST be present and MUST NOT be marked critical. It MUST contain the HTTP URL of the CA’s CRL service. See Section 13.2.1 for details."
>
> ---MOTION ENDS---
>
> The key changes from the previous pre-ballot are the wording changes suggested by Brian Smith, and attaching a concrete date - 1 year from now.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list