[cabfpub] Results on Ballot 187 - Make CAA Checking Mandatory

[Gervase Markham]

Hi Kirk and all,

On 08/03/17 22:00, Kirk Hall via Public wrote:
> The voting period for Ballot 187 has ended.  Here are the results.

Thank you for tabulating these results; I'm very happy to see such a
degree of final consensus on what is, I know, a controversial issue. I
remain committed to making sure that some of the fears of some members
about abuse of this technology do not come to pass.

There is one small "bug" in the wording which was pointed out privately
during the voting period, which I intend to fix in a quick ballot. At
the moment the text says:

"CAs MUST respect the critical flag and reject any unrecognized
properties with this flag set."

But this is not what should happen according to the CAA RFC. If there is
an unrecognised property with the critical flag set, the CA should not
just reject the property, they should fail closed. Here is an example of
the problems one can get from trying to reproduce the intent and
commands of an RFC in our documents, rather than just incorporating by
reference :-)

I propose replacing the above sentence with the more accurate:

"CAs MUST respect the critical flag and not issue a certificate if they
encounter an unrecognized property with this flag set."

I will be preparing a ballot to this effect in the next few days.
Without reopening any of the other controversial issues related to CAA,
if anyone else has wording clarifications for this section, send me an
email.

Gerv