[cabfpub] Continuing the discussion on CAA

Rick Andrews Rick_Andrews at symantec.com
Mon Sep 12 22:56:11 UTC 2016


Eric, the discussions around CAA have often included less-than-strict enforcement because some CAs were opposed to CAA deployment. Some thought that it might be easier to achieve broad adoption by mandating a lax minimum and then ratcheting it up over time.

-Rick

On Sep 10, 2016, at 10:50 PM, Eric Mill <eric.mill at gsa.gov<mailto:eric.mill at gsa.gov>> wrote:

* Any failures occur at issuance-time, not request-time. While an issuance failure might lead to request failures when replacing expired or imminently-expiring certificates, many (most?) issuance failures will give service operators time to respond before request failures, including adjusting DNS records as necessary.

To clarify this paragraph, by "request" I meant "HTTP request", not "certificate request".

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160912/20b8044b/attachment-0003.html>


More information about the Public mailing list