[Servercert-wg] CAA RFC8659 update
Tomas Gustavsson
tomas.gustavsson at primekey.com
Wed Nov 20 09:10:08 MST 2019
On 2019-11-20 16:21, Ryan Sleevi wrote:
>
>
> On Wed, Nov 20, 2019 at 5:19 AM Tomas Gustavsson via Servercert-wg
> <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote:
>
>
> Hi,
>
> I just saw that CAA has a new RFC, RFC8659, with updates in particular
> to the tree climbing. The CNAME and DNAME processing was if I remember
> correctly some of the biggest challenges when implementing RFC6844, and
> this is basically gone in RFC8659 (delegated to the CAs resolver to
> follow CNAMES etc).
>
> Current BRs specify RFC6844 with specifics around CNAMEs.
> I could not find any previous discussion on RFC6844 so wondered if there
> has been a discussion on adopting RFC8659?
>
> Adopting this would likely mean implementation changes (while, if CAB
> Forum is not adopting the new RFC I see little point in the RFC update
> at all).
>
>
> Hi Tomas,
>
> Currently, the BRs referenced RFC6844 along with Errata 5065 (see
> Appendix A). Functionally, this is what became RFC 8659. RFC 8659 just
> got published this morning ( https://tools.ietf.org/html/rfc8659 )
>
> I'm not sure why you didn't find the discussion. This was CA/B Forum
> Ballot 214 that adopted the Errata, and then went through the IETF
> process to update and standardize it.
>
> So we're good to update to reference RFC 8659, and there should be no
> functional change for existing CAs complying with the BRs. Of course,
> they are welcome and encouraged to review and highlight any concerns, if
> there is to be a phase-in transition, but that should not be necessary
> and it should just be administrivia.
Sorry, I did read Appendix A before posting. I tripped over the
differences in language of the algorithm description. Good to know the
intent is the same. I'll analyze it a bit more and get beck if I have
concerns.
Regards,
Tomas
More information about the Servercert-wg
mailing list