[cabfpub] "[UNVERIFIED SENDER]Re: no CAA authorizations -- RFC 6844

Phillip philliph at comodo.com
Thu Jun 22 14:25:29 MST 2017


I was thinking that the text as drafted in RFC 6844 does what was intended which was that if any CAA records were present in a record set, issue of certificates would be restricted to CAs that were explicitly authorized to issue at least one class of certificate.

To answer the question in a more restrictive fashion.

"It is my understanding that the text as drafted prohibits issue of a wildcard certificate by a CA not authorized by an issue record if the record set only contains issue records."





-----Original Message-----
From: Rob Stradling [mailto:rob.stradling at comodo.com] 
Sent: Thursday, June 22, 2017 4:39 PM
To: Phillip <philliph at comodo.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>; 'Ryan Sleevi' <sleevi at google.com>; 'Peter Bowen' <pzb at amzn.com>
Subject: Re: [cabfpub] "[UNVERIFIED SENDER]Re: no CAA authorizations -- RFC 6844

On 22/06/17 21:13, Phillip via Public wrote:
> I am pretty sure that Peter and myself only diverged in our 
> interpretation of the original proposal from Iida.

Phill, you wrote earlier:
"It is my understanding that the text as drafted prohibits issue of a wildcard certificate if the record set only contains issue records and issue of a non wildcard certificate if the record set only contains issuewild records."

Which document is the "text as drafted" that you're referring to?

I suspect that Peter and Ryan both thought that you were referring to RFC6844.  (And indeed, if you're not referring to RFC6844, I'm not sure which document you are referring to!)

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Public mailing list