[cabfpub] Draft CAA motion (4)

Ryan Sleevi sleevi at google.com
Tue Jan 24 21:53:14 UTC 2017

On Tue, Jan 24, 2017 at 1:40 PM, Doug Beattie <doug.beattie at globalsign.com>

> monkey patching, that’s a new one for me.
> The context of the snip-it below was an example in the RFC and it was not
> clear if that was a MUST or SHOULD.  I think we need clear MUST statements
> on what CAA checking is and how it needs to work so CAs and auditors all
> get the same message.  It was also not clear what happens when CNAME or
> DNAME records are encountered.  If my description is flawed then please
> comment.
https://tools.ietf.org/html/rfc6844#section-4 is a normative requirement of
RFC 6844. So it's already a MUST.

I suppose the question I have is what is the additional clarity you're
trying to add?

For example, the addition of "If a CNAME or DNAME record is found, then the
CAA check will start over using the returned value as the new input to the
CAA check." is introducing ambiguity, because it's incompatible with the
algorithm described - namely, the CAA check does not start over, because
the CAA check would have already accounted for the CNAME/DNAME traversal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170124/f15a6bb0/attachment-0003.html>

More information about the Public mailing list