[cabfpub] "[UNVERIFIED SENDER]Re: no CAA authorizations -- RFC 6844
philliph at comodo.com
Thu Jun 22 14:25:29 MST 2017
I was thinking that the text as drafted in RFC 6844 does what was intended which was that if any CAA records were present in a record set, issue of certificates would be restricted to CAs that were explicitly authorized to issue at least one class of certificate.
To answer the question in a more restrictive fashion.
"It is my understanding that the text as drafted prohibits issue of a wildcard certificate by a CA not authorized by an issue record if the record set only contains issue records."
From: Rob Stradling [mailto:rob.stradling at comodo.com]
Sent: Thursday, June 22, 2017 4:39 PM
To: Phillip <philliph at comodo.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>; 'Ryan Sleevi' <sleevi at google.com>; 'Peter Bowen' <pzb at amzn.com>
Subject: Re: [cabfpub] "[UNVERIFIED SENDER]Re: no CAA authorizations -- RFC 6844
On 22/06/17 21:13, Phillip via Public wrote:
> I am pretty sure that Peter and myself only diverged in our
> interpretation of the original proposal from Iida.
Phill, you wrote earlier:
"It is my understanding that the text as drafted prohibits issue of a wildcard certificate if the record set only contains issue records and issue of a non wildcard certificate if the record set only contains issuewild records."
Which document is the "text as drafted" that you're referring to?
I suspect that Peter and Ryan both thought that you were referring to RFC6844. (And indeed, if you're not referring to RFC6844, I'm not sure which document you are referring to!)
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public