[cabfpub] no CAA authorizations -- RFC 6844

philliph at comodo.com philliph at comodo.com
Thu Jun 22 14:47:15 UTC 2017


It was certainly the intention that presence of an issue prevents issue of wildcard certs.

I will re-read that section and report.

Meanwhile, I have had some comment on the discovery fixup and will rev that.


> On Jun 22, 2017, at 8:34 AM, Gervase Markham via Public <public at cabforum.org> wrote:
> 
> On 22/06/17 06:42, y-iida--- via Public wrote:
>> <C> Likewise, when there are some relevant CAA records, but no
>> CAA with "issuewild" property tag at all for a certificate
>> domain, we will issue wildcard certificate for that domain.
> 
> You should read RFC6844 carefully, but to my understanding, this is
> incorrect. If there is an "issue" property but no "issuewild" property,
> then the "issue" property also controls the issuance of wildcard certs.
> So you need to respect it in that case.
> 
> Gerv
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public




More information about the Public mailing list