[cabfpub] Voting Begins: Ballot 219 v2: Clarify handling of CAA Record Sets with no "issue"/"issuewild" property tag

Christopher Kemmerer chris at ssl.com
Mon Apr 9 15:20:06 MST 2018


SSL.com votes YES on Ballot 219.


On 4/3/2018 11:13 AM, Corey Bonnell via Public wrote:
>
> Ballot 219 v2: Clarify handling of CAA Record Sets with no 
> "issue"/"issuewild" property tag
>
> Purpose of this ballot:
>
> RFC 6844 contains an ambiguity in regard to the correct processing of 
> a non-empty CAA Resource Record Set that does not contain any issue 
> property tag (and also does not contain any issuewild property tag in 
> the case of a Wildcard Domain Name). It is ambiguous if a CA must not 
> issue when such a CAA Resource Record Set is encountered, or if such a 
> Resource Record Set is implicit permission to issue.
>
> Given that the intent of the RFC is clear (such a CAA Resource Record 
> Set is implicit permission to issue), we are proposing the following 
> change to allow for CAA processing consistent with the intent of the RFC.
>
> The following motion has been proposed by Corey Bonnell of Trustwave 
> and endorsed by Tim Hollebeek of Digicert and Mads Egil Henriksveen of 
> Buypass.
>
> -- MOTION BEGINS --
>
> This ballot modifies the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates” as follows, based upon 
> Version 1.5.6:
>
> In section 3.2.2.8, add this sentence:
>
> CAs MAY treat a non-empty CAA Resource Record Set that does not 
> contain any issue property tags (and also does not contain any 
> issuewild property tags when performing CAA processing for a Wildcard 
> Domain Name) as permission to issue, provided that no records in the 
> CAA Resource Record Set otherwise prohibit issuance.
>
> to the end of this paragraph:
>
> When processing CAA records, CAs MUST process the issue, issuewild, 
> and iodef property tags as specified in RFC 6844, although they are 
> not required to act on the contents of the iodef property tag. 
> Additional property tags MAY be supported, but MUST NOT conflict with 
> or supersede the mandatory property tags set out in this document. CAs 
> MUST respect the critical flag and not issue a certificate if they 
> encounter an unrecognized property with this flag set.
>
> -- MOTION ENDS –
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
>   Start Time: 2018-03-07 19:00:00 UTC
>
>   End Time: 2018-04-03 19:00:00 UTC
>
> Vote for approval (7 days)
>
>   Start Time: 2018-04-03 19:00:00 UTC
>
> End Time: 2018-04-10 19:00:00 UTC
>
> *Corey Bonnell*
>
> Senior Software Engineer
>
> t: +1 412.395.2233
>
> *Trustwave***| SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-- 
Chris Kemmerer
Manager of Operations
SSL.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~ To find the reefs, look~~~~~~~~
~~~~     for the wrecks.    ~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180409/10ab64cf/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3960 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://cabforum.org/pipermail/public/attachments/20180409/10ab64cf/attachment-0001.p7s>


More information about the Public mailing list