[cabfpub] Fix to CAA ballot
Tim Hollebeek
THollebeek at trustwave.com
Mon Sep 25 13:32:46 UTC 2017
This looks good to me and we would support it.
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of philliph--- via Public
Sent: Saturday, September 23, 2017 3:05 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Fix to CAA ballot
I am inviting comment.
On Sep 23, 2017, at 1:16 PM, Kirk Hall via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
Phill – to make it clear, is this a pre-ballot, and are you inviting comment / edits?
Whether 214 passes or fails, it would be good to have a backup ready to go.
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of philliph--- via Public
Sent: Saturday, September 23, 2017 7:48 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Subject: [EXTERNAL][cabfpub] Fix to CAA ballot
Looking at the current situation, I am thinking that the fixup ballot to the fixup ballot should assume 214 fails and be worded as follows:
In the Baseline Requirements v1.4.9 Section 3.2.2.8. CAA Records
Strike:
As part of the issuance process, the CA MUST check for a CAA record for each dNSName in the subjectAltName extension of the certificate to be issued, according to the procedure in RFC 6844, following the processing instructions set down in RFC 6844 for any records found. If the CA issues, they MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.
Replace with:
With effect until XXth YYYY 2018,
As part of the issuance process, the CA MUST check for CAA records and follow the processing instructions for any records found, for each dNSName in the subjectAltName extension of the certificate to be issued, as specified in either RFC 6844 or RFC 6844 as amended by Errata 5065 (Appendix A). If the CA issues, they MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.
With effect after YYYY 2018:
As part of the issuance process, the CA MUST check for CAA records and follow the processing instructions for any records found, for each dNSName in the subjectAltName extension of the certificate to be issued, as specified in RFC 6844 as amended by Errata 5065 (Appendix A). If the CA issues, they MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.
_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public<https://scanmail.trustwave.com/?c=4062&d=_rDG2elFgz3owimU2ZUNP6EZ0eP3TV7FeJJ8u8_auQ&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170925/7ccd6a99/attachment-0003.html>
More information about the Public
mailing list