[cabfpub] Discussion Period to End/Voting to Begin on Ballot 219 v2: Clarify handling of CAA Record Sets with no "issue"/"issuewild" property tag

Dimitris Zacharopoulos jimmy at it.auth.gr
Mon Apr 2 14:23:42 UTC 2018

Hello Corey,

I'm afraid you've passed the 21 days from first introduction and 
according to the Bylaws (section 2.3 c) the ballot automatically fails. 
I think this is actually the first time we have this situation so I 
would like at least another member to confirm or correct my interpretation.

If I am correct, you should pick a new ballot number and send a new 
ballot to start the 7-day (minimum) discussion period. If you are 
certain that you will not need more than 7 days for discussion, you 
could indicate that the voting period begins exactly after the 7-days 

Best Regards,

On 2/4/2018 4:52 μμ, Corey Bonnell via Public wrote:
> Hello,
> IETF 101 has transpired two weeks ago and erratum 5244 
> (https://www.rfc-editor.org/errata/eid5244) was discussed. There is 
> acknowledgement by the RFC 6844-bis author that the wording will be 
> clarified in the next version of the RFC (see Jacob Hoffman-Andrews’s 
> acknowledgement at 
> https://www.ietf.org/mail-archive/web/spasm/current/msg01203.html<https://scanmail.trustwave.com/?c=4062&d=sqm_2mcKYKQ12aW4ctq0BDIiQzy2hIa4Xyq7D7WpIg&s=5&u=https%3a%2f%2fclicktime%2esymantec%2ecom%2fa%2f1%2fuUwicKB8-pbHUWekhZLLnL1-iQ4iv8xW0naYU8AFGIw%3d%3fd%3dq3oyNowL2aeaPqmICQ6FILMGQnUfIOKUv5cXNx7atOigOD%5fQT40kd5gytm1HYEMEC5lPaH7h2Z8%5frmod645WTM4RcJ0f2NjDMvKUaPdN%5fNMSYIvaHstwmn7QNVmPT8lyOMUi--ogk2eOrlGGaWrMS9A6FiBImZuZ3OPHhoEWrCgKUUWTwngjo-SM%5fS3gSUr8NNNN2zTX2c2EHeYXnHvU5FgDJofsezIeuOxr2iYXJMYqQCCKHEq-m5mX66RT-wjoereyGuNb5VjIn9QGZuB-ds1QFnrLQKdMRrxIaIiDLgSqSlkfUqIU1BzVD-AaoO8sTJlufu3%5f0hW6KIgY5aKiDcHcgZZQSZwNjiazIwVkAGQeel0RrA%253D%253D%26u%3dhttps%253A%252F%252Fwww%2eietf%2eorg%252Fmail-archive%252Fweb%252Fspasm%252Fcurrent%252Fmsg01203%2ehtml> and 
> my response at 
> https://www.ietf.org/mail-archive/web/spasm/current/msg01206.html<https://scanmail.trustwave.com/?c=4062&d=sqm_2mcKYKQ12aW4ctq0BDIiQzy2hIa4XyjrXL2scA&s=5&u=https%3a%2f%2fclicktime%2esymantec%2ecom%2fa%2f1%2f8ZBAp3FOCf908ne78Zhxwn40HD9hrc0H9QE-w1fF6oI%3d%3fd%3dq3oyNowL2aeaPqmICQ6FILMGQnUfIOKUv5cXNx7atOigOD%5fQT40kd5gytm1HYEMEC5lPaH7h2Z8%5frmod645WTM4RcJ0f2NjDMvKUaPdN%5fNMSYIvaHstwmn7QNVmPT8lyOMUi--ogk2eOrlGGaWrMS9A6FiBImZuZ3OPHhoEWrCgKUUWTwngjo-SM%5fS3gSUr8NNNN2zTX2c2EHeYXnHvU5FgDJofsezIeuOxr2iYXJMYqQCCKHEq-m5mX66RT-wjoereyGuNb5VjIn9QGZuB-ds1QFnrLQKdMRrxIaIiDLgSqSlkfUqIU1BzVD-AaoO8sTJlufu3%5f0hW6KIgY5aKiDcHcgZZQSZwNjiazIwVkAGQeel0RrA%253D%253D%26u%3dhttps%253A%252F%252Fwww%2eietf%2eorg%252Fmail-archive%252Fweb%252Fspasm%252Fcurrent%252Fmsg01206%2ehtml>). 
> However, there is still no indication that the erratum state will 
> change to “Held for Document Update” or “Approved” anytime soon.
> We believe that the acknowledgement from the RFC author to fix this in 
> the next version of the RFC is a sufficient surrogate to getting the 
> erratum state changed. Waiting for the erratum state to change is 
> merely red-tape in the process. As such, we intend to proceed with the 
> ballot in its current form by closing the Discussion Period on Ballot 
> 219 and begin voting tomorrow evening (UTC time).
> Thanks,
> Corey
> Ballot 219 v2: Clarify handling of CAA Record Sets with no 
> "issue"/"issuewild" property tag
> Purpose of this ballot:
> RFC 6844 contains an ambiguity in regard to the correct processing of 
> a non-empty CAA Resource Record Set that does not contain any issue 
> property tag (and also does not contain any issuewild property tag in 
> the case of a Wildcard Domain Name). It is ambiguous if a CA must not 
> issue when such a CAA Resource Record Set is encountered, or if such a 
> Resource Record Set is implicit permission to issue.
> Given that the intent of the RFC is clear (such a CAA Resource Record 
> Set is implicit permission to issue), we are proposing the following 
> change to allow for CAA processing consistent with the intent of the RFC.
> The following motion has been proposed by Corey Bonnell of Trustwave 
> and endorsed by Tim Hollebeek of Digicert and Mads Egil Henriksveen of 
> Buypass.
> This ballot modifies the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates” as follows, based upon 
> Version 1.5.6:
> In section, add this sentence:
> CAs MAY treat a non-empty CAA Resource Record Set that does not 
> contain any issue property tags (and also does not contain any 
> issuewild property tags when performing CAA processing for a Wildcard 
> Domain Name) as permission to issue, provided that no records in the 
> CAA Resource Record Set otherwise prohibit issuance.
> to the end of this paragraph:
> When processing CAA records, CAs MUST process the issue, issuewild, 
> and iodef property tags as specified in RFC 6844, although they are 
> not required to act on the contents of the iodef property tag. 
> Additional property tags MAY be supported, but MUST NOT conflict with 
> or supersede the mandatory property tags set out in this document. CAs 
> MUST respect the critical flag and not issue a certificate if they 
> encounter an unrecognized property with this flag set.
> The procedure for approval of this ballot is as follows:
> Discussion (7+ days)
>   Start Time: 2018-03-07 19:00:00 UTC
>   End Time: 2018-04-03 19:00:00 UTC
> Vote for approval (7 days)
>   Start Time: 2018-04-03 19:00:00 UTC
>   End Time: 2018-04-10 19:00:00 UTC
> *Corey Bonnell*
> Senior Software Engineer
> t: +1 412.395.2233
> www.trustwave.com <http://www.trustwave.com/>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180402/16b6b469/attachment-0003.html>

More information about the Public mailing list