On Fri, 8 Sep 2017 15:22:52 -0700 (PDT) Andy Warner via dev-security-policy <[email protected]> wrote:
> Google Trust Services published updated CP & CPS versions earlier > today covering CAA checking. I'd suggest checking all CAs again > tomorrow. Given the range of timezones CA operational staffs operate > across, some may not have had a chance to publish their updates yet. At the time I checked, it was already September 8 in all timezones. > In terms of the 'rush' I suspect many CAs have had language prepared > to publish well in advance, but were holding off given the number of > discussions in various forums about how to interpret some sections of > the RFC and BRs. Many of those discussions continued until the last > moment, so holding off to ensure published details aligned with > community consensus was a reasonable approach. Could you point to a discussion that would suggest that not checking CAA at all (which is what many CAs' CP/CPSes said, including Google Trust Services') was a reasonable interpretation of the BRs? The published details need to align with what the CA is doing. In some cases there may be ongoing discussions about how to interpret requirements (though I believe in the case of CAA they had all concluded well before the deadline), but that shouldn't stop a CA from publishing how _they_ have interpreted the requirements, so that relying parties know what the CA is doing. Regards, Andrew _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
