[cabfpub] no CAA authorizations -- RFC 6844

Gervase Markham gerv at mozilla.org
Thu Jun 22 12:34:19 UTC 2017


On 22/06/17 06:42, y-iida--- via Public wrote:
> <C> Likewise, when there are some relevant CAA records, but no
> CAA with "issuewild" property tag at all for a certificate
> domain, we will issue wildcard certificate for that domain.

You should read RFC6844 carefully, but to my understanding, this is
incorrect. If there is an "issue" property but no "issuewild" property,
then the "issue" property also controls the issuance of wildcard certs.
So you need to respect it in that case.

Gerv




More information about the Public mailing list