[Servercert-wg] CAA RFC8659 update

Tim Hollebeek tim.hollebeek at digicert.com
Wed Nov 20 11:38:52 MST 2019

IIRC there’s some additional stuff in RFC 8659 beyond the Errata, but it’s all good stuff, so we would support adopting the RFC.


I don’t recall if any of it is significant enough to require a phase-in period.




From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Ryan Sleevi via Servercert-wg
Sent: Wednesday, November 20, 2019 8:22 AM
To: Tomas Gustavsson <tomas.gustavsson at primekey.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] CAA RFC8659 update




On Wed, Nov 20, 2019 at 5:19 AM Tomas Gustavsson via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> > wrote:


I just saw that CAA has a new RFC, RFC8659, with updates in particular
to the tree climbing. The CNAME and DNAME processing was if I remember
correctly some of the biggest challenges when implementing RFC6844, and
this is basically gone in RFC8659 (delegated to the CAs resolver to
follow CNAMES etc).

Current BRs specify RFC6844 with specifics around CNAMEs.
I could not find any previous discussion on RFC6844 so wondered if there
has been a discussion on adopting RFC8659?

Adopting this would likely mean implementation changes (while, if CAB
Forum is not adopting the new RFC I see little point in the RFC update
at all).


Hi Tomas,


Currently, the BRs referenced RFC6844 along with Errata 5065 (see Appendix A). Functionally, this is what became RFC 8659. RFC 8659 just got published this morning ( https://tools.ietf.org/html/rfc8659 )


I'm not sure why you didn't find the discussion. This was CA/B Forum Ballot 214 that adopted the Errata, and then went through the IETF process to update and standardize it.


So we're good to update to reference RFC 8659, and there should be no functional change for existing CAs complying with the BRs. Of course, they are welcome and encouraged to review and highlight any concerns, if there is to be a phase-in transition, but that should not be necessary and it should just be administrivia. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191120/e1a46cdf/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191120/e1a46cdf/attachment-0001.p7s>

More information about the Servercert-wg mailing list