[cabfpub] Voting Begins: Ballot 219 v2: Clarify handling of CAA Record Sets with no "issue"/"issuewild" property tag
jimmy at it.auth.gr
Mon Apr 9 17:34:50 UTC 2018
HARICA votes "yes" to ballot 219 v2.
On 3/4/2018 7:13 μμ, Corey Bonnell via Public wrote:
> Ballot 219 v2: Clarify handling of CAA Record Sets with no
> "issue"/"issuewild" property tag
> Purpose of this ballot:
> RFC 6844 contains an ambiguity in regard to the correct processing of
> a non-empty CAA Resource Record Set that does not contain any issue
> property tag (and also does not contain any issuewild property tag in
> the case of a Wildcard Domain Name). It is ambiguous if a CA must not
> issue when such a CAA Resource Record Set is encountered, or if such a
> Resource Record Set is implicit permission to issue.
> Given that the intent of the RFC is clear (such a CAA Resource Record
> Set is implicit permission to issue), we are proposing the following
> change to allow for CAA processing consistent with the intent of the RFC.
> The following motion has been proposed by Corey Bonnell of Trustwave
> and endorsed by Tim Hollebeek of Digicert and Mads Egil Henriksveen of
> -- MOTION BEGINS --
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” as follows, based upon
> Version 1.5.6:
> In section 184.108.40.206, add this sentence:
> CAs MAY treat a non-empty CAA Resource Record Set that does not
> contain any issue property tags (and also does not contain any
> issuewild property tags when performing CAA processing for a Wildcard
> Domain Name) as permission to issue, provided that no records in the
> CAA Resource Record Set otherwise prohibit issuance.
> to the end of this paragraph:
> When processing CAA records, CAs MUST process the issue, issuewild,
> and iodef property tags as specified in RFC 6844, although they are
> not required to act on the contents of the iodef property tag.
> Additional property tags MAY be supported, but MUST NOT conflict with
> or supersede the mandatory property tags set out in this document. CAs
> MUST respect the critical flag and not issue a certificate if they
> encounter an unrecognized property with this flag set.
> -- MOTION ENDS –
> The procedure for approval of this ballot is as follows:
> Discussion (7+ days)
> Start Time: 2018-03-07 19:00:00 UTC
> End Time: 2018-04-03 19:00:00 UTC
> Vote for approval (7 days)
> Start Time: 2018-04-03 19:00:00 UTC
> End Time: 2018-04-10 19:00:00 UTC
> *Corey Bonnell*
> Senior Software Engineer
> t: +1 412.395.2233
> *Trustwave***| SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public