[Servercert-wg] Ballot SC 13 version 3

Doug Beattie doug.beattie at globalsign.com
Tue Dec 4 14:40:58 MST 2018

Thanks Ryan.


From: Ryan Sleevi <sleevi at google.com> 
Sent: Tuesday, December 4, 2018 4:39 PM
To: Doug Beattie <doug.beattie at globalsign.com>
Cc: Tim Hollebeek <tim.hollebeek at digicert.com>; servercert-wg at cabforum.org
Subject: Re: [Servercert-wg] Ballot SC 13 version 3



On Tue, Dec 4, 2018 at 4:30 PM Doug Beattie <doug.beattie at globalsign.com <mailto:doug.beattie at globalsign.com> > wrote:

I’m getting more “correct” and “sure” responses, so that’s good.  Just one last item.


Let me ask this question again.  Are the issue, issuewild or iodef records processed other than for existence?   If we assume:

subdomain.example.com <http://subdomain.example.com>  CAA 0 contactemail "domainowner at example.com <mailto:domainowner at example.com> "

subdomain.example.com <http://subdomain.example.com>  CAA 0 issue test.ca <http://test.ca> 

When example.ca <http://example.ca>  is attempting to perform domain validation for subdomain.example.com <http://subdomain.example.com> , are they permitted to validate the domain?  I understand this will fail later during issuance, but the question is: Is the CA required to look at and process the other CAA records when doing domain validation?  I’m assuming that the issue and issuewild are only used for issuance (as their name implies).  I just wanted to be sure that the domain validation process didn’t need to take these records into account to permit or block domain validation.


When using the proposed method, the CA would, for validation purposes, examine the CAA record set for the ADN solely for the "contactemail" property.

Regardless of the validation method used, the CA would ALSO obtain the CAA record sets for all of the FQDNs, as part of fulfilling their obligations under


In this case, "validation" would have passed, but failed

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181204/b624469f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5716 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181204/b624469f/attachment-0001.p7s>

More information about the Servercert-wg mailing list