[cabfpub] Voting Begins: Ballot 219 v2: Clarify handling of CAA Record Sets with no "issue"/"issuewild" property tag
Adriano Santoni
adriano.santoni at staff.aruba.it
Tue Apr 10 06:00:40 UTC 2018
Actalis votes "yes".
Il 03/04/2018 18:13, Corey Bonnell via Public ha scritto:
>
> Ballot 219 v2: Clarify handling of CAA Record Sets with no
> "issue"/"issuewild" property tag
>
> Purpose of this ballot:
>
> RFC 6844 contains an ambiguity in regard to the correct processing of
> a non-empty CAA Resource Record Set that does not contain any issue
> property tag (and also does not contain any issuewild property tag in
> the case of a Wildcard Domain Name). It is ambiguous if a CA must not
> issue when such a CAA Resource Record Set is encountered, or if such a
> Resource Record Set is implicit permission to issue.
>
> Given that the intent of the RFC is clear (such a CAA Resource Record
> Set is implicit permission to issue), we are proposing the following
> change to allow for CAA processing consistent with the intent of the RFC.
>
> The following motion has been proposed by Corey Bonnell of Trustwave
> and endorsed by Tim Hollebeek of Digicert and Mads Egil Henriksveen of
> Buypass.
>
> -- MOTION BEGINS --
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” as follows, based upon
> Version 1.5.6:
>
> In section 3.2.2.8, add this sentence:
>
> CAs MAY treat a non-empty CAA Resource Record Set that does not
> contain any issue property tags (and also does not contain any
> issuewild property tags when performing CAA processing for a Wildcard
> Domain Name) as permission to issue, provided that no records in the
> CAA Resource Record Set otherwise prohibit issuance.
>
> to the end of this paragraph:
>
> When processing CAA records, CAs MUST process the issue, issuewild,
> and iodef property tags as specified in RFC 6844, although they are
> not required to act on the contents of the iodef property tag.
> Additional property tags MAY be supported, but MUST NOT conflict with
> or supersede the mandatory property tags set out in this document. CAs
> MUST respect the critical flag and not issue a certificate if they
> encounter an unrecognized property with this flag set.
>
> -- MOTION ENDS –
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 2018-03-07 19:00:00 UTC
>
> End Time: 2018-04-03 19:00:00 UTC
>
> Vote for approval (7 days)
>
> Start Time: 2018-04-03 19:00:00 UTC
>
> End Time: 2018-04-10 19:00:00 UTC
>
> *Corey Bonnell*
>
> Senior Software Engineer
>
> t: +1 412.395.2233
>
> *Trustwave***| SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180410/7e06ab22/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4025 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180410/7e06ab22/attachment-0003.p7s>
More information about the Public
mailing list