[Servercert-wg] CAA RFC8659 update

Tomas Gustavsson tomas.gustavsson at primekey.com
Wed Nov 20 09:10:08 MST 2019

On 2019-11-20 16:21, Ryan Sleevi wrote:
> On Wed, Nov 20, 2019 at 5:19 AM Tomas Gustavsson via Servercert-wg
> <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote:
>     Hi,
>     I just saw that CAA has a new RFC, RFC8659, with updates in particular
>     to the tree climbing. The CNAME and DNAME processing was if I remember
>     correctly some of the biggest challenges when implementing RFC6844, and
>     this is basically gone in RFC8659 (delegated to the CAs resolver to
>     follow CNAMES etc).
>     Current BRs specify RFC6844 with specifics around CNAMEs.
>     I could not find any previous discussion on RFC6844 so wondered if there
>     has been a discussion on adopting RFC8659?
>     Adopting this would likely mean implementation changes (while, if CAB
>     Forum is not adopting the new RFC I see little point in the RFC update
>     at all).
> Hi Tomas,
> Currently, the BRs referenced RFC6844 along with Errata 5065 (see
> Appendix A). Functionally, this is what became RFC 8659. RFC 8659 just
> got published this morning ( https://tools.ietf.org/html/rfc8659 )
> I'm not sure why you didn't find the discussion. This was CA/B Forum
> Ballot 214 that adopted the Errata, and then went through the IETF
> process to update and standardize it.
> So we're good to update to reference RFC 8659, and there should be no
> functional change for existing CAs complying with the BRs. Of course,
> they are welcome and encouraged to review and highlight any concerns, if
> there is to be a phase-in transition, but that should not be necessary
> and it should just be administrivia. 

Sorry, I did read Appendix A before posting. I tripped over the
differences in language of the algorithm description. Good to know the
intent is the same. I'll analyze it a bit more and get beck if I have


More information about the Servercert-wg mailing list