[cabfpub] Ballot 187 - Make CAA Checking Mandatory

Ryan Sleevi sleevi at google.com
Wed Feb 22 15:40:17 MST 2017


On Wed, Feb 22, 2017 at 2:32 PM, Doug Beattie via Public <
public at cabforum.org> wrote:
>
> Several people have looked at RFC 6844 and have come away with different
> interpretations of what the processing means, so I HIGHLY recommend we
> include the CAA processing that MUST be performed so there is no ambiguity
> and so it’s clear for auditors.  This includes statements like:
>

Hi Doug,

This is and remains problematic, and it doesn't seem the previous feedback
was addressed. This is a bit like the recent remarks Virginia shared with
offering interpretation of legal matters - while it's meant well, it
introduces new problems.

Perhaps you would consider filing IETF errata on what you think is unclear?
I'm sensitive and appreciate the concern that technical documents may be
hard to understand, I think RFC5280 and the (non-)compliance by CAs is
ample evidence that no matter how unambiguous things are, people will
misinterpret and misunderstand.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170222/adef7af1/attachment.html>


More information about the Public mailing list