[cabfpub] empty set -- RFC 6844

y-iida at secom.co.jp y-iida at secom.co.jp
Thu Jun 15 19:49:08 MST 2017


Hello, public.

I'd like to make it clear the cases when CAA RR set is empty.

<A> The first paragrapth of chapter 4 of RFC 6844 reads:
  If such a record set exists
and it means that the certificate request is consistent with
the empty CAA resource record set.

<B> Above paragrapth does not reads ``a non-empty record set''
and last line of chapter 4 reads:
      Return Empty
and it does not mean return whatever you want, and section 5.2
of RFC 6844 reads:
  CAA authorizations are additive
and this means that the certificate request is not consistent
with the empty CAA resource record set and no CAs are allowed
to issue without applying an exception specified in the relevant
CP/CPS.
--
  iida


More information about the Public mailing list