[cabfpub] Voting Begins: Ballot 219 v2: Clarify handling of CAA Record Sets with no "issue"/"issuewild" property tag

Wayne Thayer wthayer at mozilla.com
Mon Apr 9 11:53:47 MST 2018


Mozilla votes Yes on ballot 219.

On Tue, Apr 3, 2018 at 9:13 AM, Corey Bonnell via Public <
public at cabforum.org> wrote:

> Ballot 219 v2: Clarify handling of CAA Record Sets with no
> "issue"/"issuewild" property tag
>
>
>
> Purpose of this ballot:
>
>
>
> RFC 6844 contains an ambiguity in regard to the correct processing of a
> non-empty CAA Resource Record Set that does not contain any issue property
> tag (and also does not contain any issuewild property tag in the case of a
> Wildcard Domain Name). It is ambiguous if a CA must not issue when such a
> CAA Resource Record Set is encountered, or if such a Resource Record Set is
> implicit permission to issue.
>
>
>
> Given that the intent of the RFC is clear (such a CAA Resource Record Set
> is implicit permission to issue), we are proposing the following change to
> allow for CAA processing consistent with the intent of the RFC.
>
>
>
> The following motion has been proposed by Corey Bonnell of Trustwave and
> endorsed by Tim Hollebeek of Digicert and Mads Egil Henriksveen of Buypass.
>
>
>
> -- MOTION BEGINS --
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” as follows, based upon Version
> 1.5.6:
>
>
>
> In section 3.2.2.8, add this sentence:
>
> CAs MAY treat a non-empty CAA Resource Record Set that does not contain
> any issue property tags (and also does not contain any issuewild property
> tags when performing CAA processing for a Wildcard Domain Name) as
> permission to issue, provided that no records in the CAA Resource Record
> Set otherwise prohibit issuance.
>
>
>
> to the end of this paragraph:
>
> When processing CAA records, CAs MUST process the issue, issuewild, and
> iodef property tags as specified in RFC 6844, although they are not
> required to act on the contents of the iodef property tag. Additional
> property tags MAY be supported, but MUST NOT conflict with or supersede the
> mandatory property tags set out in this document. CAs MUST respect the
> critical flag and not issue a certificate if they encounter an unrecognized
> property with this flag set.
>
>
>
> -- MOTION ENDS –
>
>
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
>   Start Time: 2018-03-07 19:00:00 UTC
>
>   End Time: 2018-04-03 19:00:00 UTC
>
>
>
> Vote for approval (7 days)
>
>   Start Time: 2018-04-03 19:00:00 UTC
>
>   End Time: 2018-04-10 19:00:00 UTC
>
>
>
>
>
>
>
> *Corey Bonnell*
>
> Senior Software Engineer
>
> t: +1 412.395.2233
>
>
>
> *Trustwave* | SMART SECURITY ON DEMAND
> www.trustwave.com
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180409/5744e70e/attachment.html>


More information about the Public mailing list