[cabfpub] empty set -- RFC 6844

Jacob Hoffman-Andrews jsha at letsencrypt.org
Sat Jun 24 00:36:47 UTC 2017


On Thu, Jun 15, 2017 at 7:49 PM, y-iida--- via Public <public at cabforum.org>
 wrote:

> Hello, public.
>
> I'd like to make it clear the cases when CAA RR set is empty.
>
> <A> The first paragrapth of chapter 4 of RFC 6844 reads:
>   If such a record set exists
> and it means that the certificate request is consistent with
> the empty CAA resource record set.
>
> <B> Above paragrapth does not reads ``a non-empty record set''
> and last line of chapter 4 reads:
>       Return Empty
> and it does not mean return whatever you want, and section 5.2
> of RFC 6844 reads:
>   CAA authorizations are additive
> and this means that the certificate request is not consistent
> with the empty CAA resource record set and no CAs are allowed
> to issue without applying an exception specified in the relevant
> CP/CPS.
> --
>   iida
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>

There is a distinction between resource record sets and issuer domains.
Section 4 specifies how to find the relevant resource record set (RRSet),
which may be empty. Section 5.2 says that, if you do find a non-empty CAA
RRSet, the issuer domain in that RRSet may be empty.

In other words:

Empty RRSet: issuance allowed
Empty issuer domain within a non-empty RRSet: no issuance allowed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170623/b6c1ea16/attachment-0003.html>


More information about the Public mailing list