On Fri, Sep 8, 2017 at 12:24 PM, Andrew Ayer via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > The BRs state: > > "Effective as of 8 September 2017, section 4.2 of a CA's Certificate > Policy and/or Certification Practice Statement (section 4.1 for CAs > still conforming to RFC 2527) SHALL state the CA's policy or practice > on processing CAA Records for Fully Qualified Domain Names; that policy > shall be consistent with these Requirements. It shall clearly specify > the set of Issuer Domain Names that the CA recognises in CAA 'issue' or > 'issuewild' records as permitting it to issue. The CA SHALL log all > actions taken, if any, consistent with its processing practice." > > Since it is now 8 September 2017, I decided to spot check the CP/CPSes > of some CAs. > > At time of writing, the latest published CP/CPSes of the following CAs > are not compliant with the above provision of the BRs: > > Amazon (https://www.amazontrust.com/repository/) - Does not check CAA > > > It would be nice to hear confirmation from the non-compliant CAs that they > really are checking CAA as required, and if so, why they overlooked the > requirement to update their CP/CPS.
Amazon Trust Services is checking CAA prior to issuance of certificates. We provided the domain list in our responses to the last Mozilla communication and will be updating our externally published policy and practice documentation to match shortly. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
