[cabfpub] Results on Ballot 187 - Make CAA Checking Mandatory

Rick Andrews Rick_Andrews at symantec.com
Fri Mar 17 17:51:15 UTC 2017 




From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, March 17, 2017 10:42 AM
To: Rick Andrews <Rick_Andrews at symantec.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>; Gervase Markham <gerv at mozilla.org>
Subject: Re: [cabfpub] Results on Ballot 187 - Make CAA Checking Mandatory







On Fri, Mar 17, 2017 at 1:34 PM, Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>> wrote:

   If the issue or issuewild records indicate that I am permitted to issue the cert, it seems excessive to reject because I can't parse the iodef record. As a permitted CA, I don't need to do anything with the iodef record.



   That's not correct. For example, imagine the issue indicates Symantec, but it requests EV only (via a Symantec-defined issuer-parameter), and you receive a request a DV. What do you do then?

   Symantec has not defined any additional parameters, so this question is moot (for me).



   Similarly, if the Forum introduces issuer-parameters regarding the use of 3.2.2.4 validity methods, what then?

   The Forum has not defined any parameters yet, so this question is moot.



   For this simple case where there are no additional parameters and I find my identifier in an issue or issuewild record, I need not even view an iodef record.



   How do others interpret it?




   Your intent is probably to catch the error and alert the domain owner, so that they can fix it in case a non-authorized CA tries to issue a cert for the domain. While I can see the advantage of that, I'm not sure that this action was intended by the RFC or Gerv's ballot.

   How do others interpret it?

   -Rick

   From: Ryan Sleevi [mailto:sleevi at google.com<mailto:sleevi at google.com>]
   Sent: Friday, March 17, 2017 10:26 AM
   To: Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>>
   Cc: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>; Gervase Markham <gerv at mozilla.org<mailto:gerv at mozilla.org>>

   Subject: Re: [cabfpub] Results on Ballot 187 - Make CAA Checking Mandatory

   Fail to issue.

   On Fri, Mar 17, 2017 at 1:25 PM, Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>> wrote:
   But what am I supposed to do if I can’t parse the syntax?

   From: Ryan Sleevi [mailto:sleevi at google.com<mailto:sleevi at google.com>]
   Sent: Friday, March 17, 2017 10:22 AM
   To: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
   Cc: Gervase Markham <gerv at mozilla.org<mailto:gerv at mozilla.org>>; Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>>
   Subject: Re: [cabfpub] Results on Ballot 187 - Make CAA Checking Mandatory



   On Fri, Mar 17, 2017 at 1:18 PM, Rick Andrews via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
   Gerv, I would suggest simply removing "iodef" from "CAs MUST process the issue, issuewild, and iodef property tags". To me, the word "process" means to take some kind of action, as we must do with issue and issuewild tags. From what others have said, if the iodef record isn't marked critical, I can ignore it, and if it is marked critical, I can ignore it as long as I recognize it as an iodef record. I wouldn't call that "processing" the record.

   That's not quite correct. If it's marked critical, you must still understand how to parse the syntax, and ensure it is something you actively understand, even if you do not report.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170317/ca0fde52/attachment-0003.html>

More information about the Public mailing list