[cabfpub] Draft CAA motion (4)

Gervase Markham gerv at mozilla.org
Wed Jan 25 12:40:13 UTC 2017

Hi Doug,

As noted by Ryan, changes are hard to discuss without rationale.

On 24/01/17 20:03, Doug Beattie wrote:
> Key changes from your version: 1) Added this as an exception: The CAA
> check failed but was subsequently approved by an Enterprise RA or
> Certificate Approver with knowledge that the CAA check failed.

I remain opposed to this type of change, for reasons already outlined at
length. Explaining the same viewpoint again to me is not likely to
change my mind :-)

> 2) Increased cache time to 12 hours from 1 hour when a CAA record is
> found

Why can this not be left to the DNS? If your customer has a DNS TTL for
their CAA record which is shorter than you want it to be, ask them to
update it.

> 3) Specified a cache time of 24 hours when no CAA record was found

As Ryan notes, it seems wiser when possible to leave caching times to
the DNS.

> 4) Update the exemption for CAs being the DNS provider

What material change do you think your rewording makes - i.e. what
situations were not allowed that are now allowed, or vice versa?

Your 4 points also don't quite explain why we need to fork the RFC. If
you feel the RFC is unclear, explain why, and either someone more versed
in how to read RFCs will explain what the conventions say you should
interpret it to mean, or there will be consensus that it is indeed
unclear (unlikely but possible) and we can make a very specific fix.
Copying the entire thing seems like the wrong approach either way.


More information about the Public mailing list