[cabfpub] "[UNVERIFIED SENDER]Re: no CAA authorizations -- RFC 6844

Phillip philliph at comodo.com
Thu Jun 22 20:02:05 UTC 2017


That was the intended semantics.

 

If only issue records were specified, they govern regular and wildcard.

If any wildcard is specified, it has no effect for a non wildcard request
but governs any wildcard request.

 

 

Thus if the records are 

 

   $ORIGIN example.com

   .       CAA 0 issue "alice.com"

 

Then 

    alice.com may issue a cert for example.com or *.example.com

    bob.com, carol.com may not issue any cert at all.

 

If however, the records are

 

   $ORIGIN example.com

   .       CAA 0 issue "alice.com"

   .       CAA 0 issuewild "bob.com"

 

Then 

    alice.com may issue a cert for example.com BUT NOT *.example.com

    bob.com, may issue a cert for *.example.com BUT NOT example.com

    carol.com may not issue any cert at all.

 

The reason for this approach was that very few domains want to have separate
rules for wildcard and regular certs. Those that do will normally want the
issue of wildcard to be more restrictive. 

 

 

 

From: Peter Bowen [mailto:pzb at amzn.com] 
Sent: Thursday, June 22, 2017 3:37 PM
To: Phillip <philliph at comodo.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>;
ekr at rtfm.com; kathleen.moriarty.ietf at gmail.com
Subject: Re: "[UNVERIFIED SENDER]Re: [cabfpub] no CAA authorizations -- RFC
6844

 

 

On Jun 22, 2017, at 12:31 PM, Phillip <philliph at comodo.com
<mailto:philliph at comodo.com> > wrote:

 

It is not clear which of us you are responding to.

 

Let us consider the case proposed:

 

*	Domain  <http://example.com/> example.com has an issue entry for CA
<http://alice.com/> alice.com but no issuewild
*	Certificate requested for *. <http://example.com/> example.com from
<http://bob.com/> bob.com

 

So section 5.3 does not apply. There is no issuewild to take priority. 

 

The request has a wildcard so the requirement to ignore issuewild records
for a non wildcard does not apply.

 

No issuewild properties are specified. So the second part does not apply.

 

Agreed.

 

However a certificate requested for *.example.com <http://example.com>  from
alice.com <http://alice.com>  would be allowed to issue with the records you
show in your example.

 

Thanks,

Peter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170622/f0e892ee/attachment-0003.html>


More information about the Public mailing list