[cabfpub] empty set -- RFC 6844
jsha at letsencrypt.org
Fri Jun 23 17:36:47 MST 2017
On Thu, Jun 15, 2017 at 7:49 PM, y-iida--- via Public <public at cabforum.org>
> Hello, public.
> I'd like to make it clear the cases when CAA RR set is empty.
> <A> The first paragrapth of chapter 4 of RFC 6844 reads:
> If such a record set exists
> and it means that the certificate request is consistent with
> the empty CAA resource record set.
> <B> Above paragrapth does not reads ``a non-empty record set''
> and last line of chapter 4 reads:
> Return Empty
> and it does not mean return whatever you want, and section 5.2
> of RFC 6844 reads:
> CAA authorizations are additive
> and this means that the certificate request is not consistent
> with the empty CAA resource record set and no CAs are allowed
> to issue without applying an exception specified in the relevant
> Public mailing list
> Public at cabforum.org
There is a distinction between resource record sets and issuer domains.
Section 4 specifies how to find the relevant resource record set (RRSet),
which may be empty. Section 5.2 says that, if you do find a non-empty CAA
RRSet, the issuer domain in that RRSet may be empty.
In other words:
Empty RRSet: issuance allowed
Empty issuer domain within a non-empty RRSet: no issuance allowed
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public