[cabfpub] Preballot for IPv6 Support

Phillip Hallam-Baker philliph at comodo.com
Thu Feb 19 23:41:07 UTC 2015 

Actually it would work fine since an IPv6 client would not talk to the authoritative directly anyway, it would go through a recursive that is probably dual stack unless you are playing the DNS64 game.


> On Feb 19, 2015, at 3:11 PM, Ryan Sleevi <sleevi at google.com> wrote:
> 
> Good point. What good is server a AAAA record from a DNS server that
> doesn't listen on IPv6
> 
> On Thu, Feb 19, 2015 at 11:25 AM, Rick Andrews
> <Rick_Andrews at symantec.com> wrote:
>> Ryan,
>> 
>> It seems to me we need to add one more detail: it must be possible to make the lookups to the authoritative resolver (DNS) over IPv4 and IPv6. A client running on an IPv6-only network will first make a DNS call to get the AAAA record for the CA's OCSP or CRL service. So the CA needs to make sure that those DNS lookups can be served via IPv6.
>> 
>> -Rick
>> 
>> -----Original Message-----
>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Wayne Thayer
>> Sent: Thursday, February 19, 2015 8:54 AM
>> To: CABFPub
>> Subject: Re: [cabfpub] Preballot for IPv6 Support
>> 
>> Ryan,
>> 
>> We didn't find any blockers that prevent GoDaddy from enabling support for IPv6. Like other CAs, we also don't see any demand for it today, but I agree that this is a collective action problem and CAs need to remove certificate validation from the list of problems that are blocking other parties from moving to IPv6. GoDaddy supports this ballot and I would be happy to endorse.
>> 
>> Thanks,
>> 
>> Wayne
>> 
>> -----Original Message-----
>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
>> Sent: Wednesday, February 18, 2015 3:01 PM
>> To: CABFPub
>> Subject: Re: [cabfpub] Preballot for IPv6 Support
>> 
>> In advance of tomorrow's call, I'd like to bring forward this pre-ballot again
>> 
>> ---MOTION BEGINS---
>> 
>> Update Section 13.2.1 of the Baseline Requirements as follows:
>> 
>> From:
>> "The CA SHALL make revocation information for Subordinate Certificates and Subscriber Certificates available in accordance with Appendix B."
>> 
>> To:
>> 
>> "The CA SHALL make revocation information for Subordinate Certificates and Subscriber Certificates available in accordance with Appendix B.
>> 
>> Effective March 1, 2016, the CA SHALL make this information available via both IPv4 and IPv6. For each DNS host included in accordance with Appendix B, lookups to the authoritative resolver MUST return valid A records if A records are requested and valid AAAA records if AAAA records are requested."
>> 
>> Update Appendix B, Section 2(b) of the Baseline Requirements as follows:
>> 
>> From:
>> "This extension MUST be present and MUST NOT be marked critical. It MUST contain the HTTP URL of the CA’s CRL service."
>> 
>> To:
>> "This extension MUST be present and MUST NOT be marked critical. It MUST contain the HTTP URL of the CA’s CRL service. See Section 13.2.1 for details."
>> 
>> ---MOTION ENDS---
>> 
>> The key changes from the previous pre-ballot are the wording changes suggested by Brian Smith, and attaching a concrete date - 1 year from now.
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list