[cabfpub] Fix to CAA ballot

Jacob Hoffman-Andrews jsha at letsencrypt.org
Mon Sep 25 11:13:57 MST 2017


This also looks good to me.

On Mon, Sep 25, 2017 at 6:32 AM, Tim Hollebeek via Public <
public at cabforum.org> wrote:

> This looks good to me and we would support it.
>
>
>
> *From:* Public [mailto:public-bounces at cabforum.org] * On Behalf Of *philliph---
> via Public
> *Sent:* Saturday, September 23, 2017 3:05 PM
> *To:* Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Subject:* Re: [cabfpub] Fix to CAA ballot
>
>
>
> I am inviting comment.
>
>
>
>
>
> On Sep 23, 2017, at 1:16 PM, Kirk Hall via Public <public at cabforum.org>
> wrote:
>
>
>
> Phill – to make it clear, is this a pre-ballot, and are you inviting
> comment / edits?
>
>
>
> Whether 214 passes or fails, it would be good to have a backup ready to go.
>
>
>
> *From:* Public [mailto:public-bounces at cabforum.org
> <public-bounces at cabforum.org>] *On Behalf Of *philliph--- via Public
> *Sent:* Saturday, September 23, 2017 7:48 AM
> *To:* CA/Browser Forum Public Discussion List <public at cabforum.org>
> *Subject:* [EXTERNAL][cabfpub] Fix to CAA ballot
>
>
>
> Looking at the current situation, I am thinking that the fixup ballot to
> the fixup ballot should assume 214 fails and be worded as follows:
>
>
>
>
>
> In the Baseline Requirements v1.4.9 Section 3.2.2.8. CAA Records
>
> Strike:
>
> As part of the issuance process, the CA MUST check for a CAA record for
> each dNSName in the subjectAltName extension of the certificate to be
> issued, according to the procedure in RFC 6844, following the processing
> instructions set down in RFC 6844 for any records found. If the CA issues,
> they MUST do so within the TTL of the CAA record, or 8 hours, whichever is
> greater.
>
> Replace with:
>
>
> With effect until XXth YYYY 2018,
>
>
>
>
> As part of the issuance process, the CA MUST check for CAA records and
> follow the processing instructions for any records found, for each dNSName
> in the subjectAltName extension of the certificate to be issued, as
> specified in either RFC 6844 or RFC 6844 as amended by Errata 5065
> (Appendix A). If the CA issues, they MUST do so within the TTL of the CAA
> record, or 8 hours, whichever is greater.
>
>
>
> With effect after YYYY 2018:
>
>
>
>
> As part of the issuance process, the CA MUST check for CAA records and
> follow the processing instructions for any records found, for each dNSName
> in the subjectAltName extension of the certificate to be issued, as
> specified in RFC 6844 as amended by Errata 5065 (Appendix A). If the CA
> issues, they MUST do so within the TTL of the CAA record, or 8 hours,
> whichever is greater.
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> <https://scanmail.trustwave.com/?c=4062&d=_rDG2elFgz3owimU2ZUNP6EZ0eP3TV7FeJJ8u8_auQ&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170925/1e093fb9/attachment.html>


More information about the Public mailing list