[Servercert-wg] Ballot SC 13 version 3

Ryan Sleevi sleevi at google.com
Tue Dec 4 14:38:31 MST 2018


On Tue, Dec 4, 2018 at 4:30 PM Doug Beattie <doug.beattie at globalsign.com>
wrote:

> I’m getting more “correct” and “sure” responses, so that’s good.  Just one
> last item.
>
>
>
> Let me ask this question again.  Are the issue, issuewild or iodef records
> processed other than for existence?   If we assume:
>
> subdomain.example.com CAA 0 contactemail "domainowner at example.com"
>
> subdomain.example.com CAA 0 issue test.ca
>
> When example.ca is attempting to perform domain validation for
> subdomain.example.com, are they permitted to validate the domain?  I
> understand this will fail later during issuance, but the question is: Is
> the CA required to look at and process the other CAA records when doing
> domain validation?  I’m assuming that the issue and issuewild are only used
> for issuance (as their name implies).  I just wanted to be sure that the
> domain validation process didn’t need to take these records into account to
> permit or block domain validation.
>

When using the proposed 3.2.2.4.13 method, the CA would, for validation
purposes, examine the CAA record set for the ADN solely for the
"contactemail" property.
Regardless of the validation method used, the CA would ALSO obtain the CAA
record sets for all of the FQDNs, as part of fulfilling their obligations
under 3.2.2.8

In this case, "validation" would have passed 3.2.2.4.13, but failed 3.2.2.8.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181204/08f033de/attachment.html>


More information about the Servercert-wg mailing list