[cabfpub] Draft CAA motion (3)

Doug Beattie doug.beattie at globalsign.com
Fri Jan 13 07:55:53 MST 2017



> -----Original Message-----
> From: Gervase Markham [mailto:gerv at mozilla.org]
>
> On 13/01/17 13:13, Doug Beattie wrote:
> > As it stands, this means that CAs must support Issuer Critical, issue
> > and issuewild today and then to support other Property Tags as they
> > are added (without an indication of when the need to be supported).
> > The spec also says that you must check the specified CNAME or DNAME
> > record if they exist.  Are all of these checks required and how do we
> > handle new Property Tags?
> 
> You are right that the RFC has several extension mechanisms and it's not
> clear how changes would be incorporated. What do you suggest? Do we
> "freeze" the RFC and extension registries at a particular date, and then move
> that date via further ballots?

I'd suggest we include exactly what is required in the ballot and if the RFC changes then we have a new ballot to specify the changes and effective dates.

> As for which checks are required, the answer is whatever the RFC says, given
> that its authors probably thought about what was required quite carefully.
> What problem are you highlighting?

I'm highlighting the fact RFCs are not always clear in that they require and how they relate to the BRs and we should clearly state the requirements in the BRs.  In the BRs we don’t discuss DNAME records, but CAA does support them, so is that an issue?  I don’t know, just asking.  

There is an example in section 4 for processing that has a "will" ( not a WILL) - is this how CAs MUST process CAA records?  

Section 6.5 talks about abuse of the Critical Flag - are we OK with mandating that CAs respect the Critical flag?

> Gerv


More information about the Public mailing list