[cabfpub] Results on Ballot 187 - Make CAA Checking Mandatory
Rick Andrews
Rick_Andrews at symantec.com
Wed Mar 15 11:17:42 MST 2017
Gerv,
There's another "bug" that I hope you'll consider clarifying regarding iodef
records.
Part of the ballot says "CAs MUST process the issue, issuewild, and iodef
property tags"
Another part says " CAs... SHOULD dispatch reports of such issuance requests
to the contact(s) stipulated in the CAA iodef record(s), if present."
I assume you meant that CAs MUST dispatch reports to the contacts in iodef
records, otherwise "processing" an iodef tag is the same as ignoring it.
-Rick
-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
Markham via Public
Sent: Thursday, March 09, 2017 2:31 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: Re: [cabfpub] Results on Ballot 187 - Make CAA Checking Mandatory
Hi Kirk and all,
On 08/03/17 22:00, Kirk Hall via Public wrote:
> The voting period for Ballot 187 has ended. Here are the results.
Thank you for tabulating these results; I'm very happy to see such a degree
of final consensus on what is, I know, a controversial issue. I remain
committed to making sure that some of the fears of some members about abuse
of this technology do not come to pass.
There is one small "bug" in the wording which was pointed out privately
during the voting period, which I intend to fix in a quick ballot. At the
moment the text says:
"CAs MUST respect the critical flag and reject any unrecognized properties
with this flag set."
But this is not what should happen according to the CAA RFC. If there is an
unrecognised property with the critical flag set, the CA should not just
reject the property, they should fail closed. Here is an example of the
problems one can get from trying to reproduce the intent and commands of an
RFC in our documents, rather than just incorporating by reference :-)
I propose replacing the above sentence with the more accurate:
"CAs MUST respect the critical flag and not issue a certificate if they
encounter an unrecognized property with this flag set."
I will be preparing a ballot to this effect in the next few days.
Without reopening any of the other controversial issues related to CAA, if
anyone else has wording clarifications for this section, send me an email.
Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://clicktime.symantec.com/a/1/WULA2Rh9odR2mj96l9mX31LGHh9YsHfTykIccTeo_
t8=?d=nJMwwwlDP1-wZuB7ByWMR2d5gI6Rchl91wK-eEd8iNW_WnIlHVnWzs_O-ODh2wzumboNwF
jqLgJwwiufUeOGhtRURCkF0tjH7AWI9jS8OXidr1rTrYS7hdMtZNDS7AFE3-6XYuHlyMQ-1AqKhi
Vr1u82DS9kpeabT_2UwEjPVM903fw5LudE8v7If9yG4LbkeAhzcRGYuqyiA_yzVR-EV9dj9w2SK_
y5GdEmu434Urqq7fLGp7SySfsKvgLNiblhqnMVTGH1EAdqKOc8aAL_4RNa5-ZcwJRkmswxKnNgZ-
CcDfP4Oeu5dVx77Zk5moLqBYeTIqTijkL9IqgN8CDFqGVIVx25Zf7LUuCy8jd10lcK2i0w6oOKWH
-yrKMv7PTcNNQkS_Vn80YaYAcwE2QcukEmKP3O_EnrNgEkTesLA_A%3D&u=https%3A%2F%2Fcab
forum.org%2Fmailman%2Flistinfo%2Fpublic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5725 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170315/3a382c5e/attachment.bin>
More information about the Public
mailing list