[cabfpub] Continuing the discussion on CAA

[Kirk Hall]

Ryan, your response is cryptic and confusing.  I think we are wasting time.

Can you please avoid quoting other stuff (not sure what it proves or how it helps) and just lay out on the Public list your examples in simple English of cases where CAA would have prevented misissuance of a certificate to a fraudster not associated with the organization that owns or controls the domain requested?  I don’t believe this has explicitly been discussed on the Public list before.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Monday, October 24, 2016 1:41 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com>; public at cabforum.org
Subject: Re: [cabfpub] Continuing the discussion on CAA



On Mon, Oct 24, 2016 at 1:38 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>> wrote:
Ryan, this discussion is happening on the Public list, and members of the public were not at our meeting.

Which is why minutes of our phone calls and meetings are so important.

  So please drop your quibbling, and just restate whatever evidence you have – on the Public list, so everyone can evaluate it – that CAA would have prevented any known misissuance of certificates to a fraudster not associated with the certificate applicant.

It looks like the paragraph beginning "In the case of Google domains, we went " may have been dropped, so I've provided it again for you, in the hopes it might make it through this time, and your memory might be jogged.

"In the case of Google domains, we went and added CAA records to our properties, which has prevented unauthorized issuance. I was precise in my terminology here - unauthorized - because it's not authorized by the domain holder, even if it's valid according to the language of Section 3.2.2.4"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20161024/ee8fd381/attachment.html>