[cabfpub] Ballot 187 - Make CAA Checking Mandatory

Rob Stradling rob.stradling at comodo.com
Thu Feb 23 04:22:30 MST 2017


On 22/02/17 22:40, Ryan Sleevi via Public wrote:
> On Wed, Feb 22, 2017 at 2:32 PM, Doug Beattie via Public wrote:
>
>     Several people have looked at RFC 6844 and have come away with
>     different interpretations of what the processing means, so I HIGHLY
>     recommend we include the CAA processing that MUST be performed so
>     there is no ambiguity and so it’s clear for auditors.  This includes
>     statements like:
>
>
> Hi Doug,
>
> This is and remains problematic, and it doesn't seem the previous
> feedback was addressed. This is a bit like the recent remarks Virginia
> shared with offering interpretation of legal matters - while it's meant
> well, it introduces new problems.
>
> Perhaps you would consider filing IETF errata on what you think is
> unclear? I'm sensitive and appreciate the concern that technical
> documents may be hard to understand, I think RFC5280 and the
> (non-)compliance by CAs is ample evidence that no matter how unambiguous
> things are, people will misinterpret and misunderstand.

Doug, Ryan,

I fully agree that https://tools.ietf.org/html/rfc6844#section-4 is 
confusing and needs to be revised.

My understanding of the CAA algorithm has at times been flawed, even 
after seeking clarification from Phill.  If a document confuses even its 
authors, then you know there's a problem!

Last week Phill told me he would write an erratum for RFC6844 section 4 
this week.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Public mailing list