I would support that. I can't recall why it's in there. -----Original Message----- From: Jonathan Rudenberg [mailto:[email protected]] Sent: Monday, September 11, 2017 3:19 PM To: Jeremy Rowley <[email protected]> Cc: [email protected] Subject: Re: CAA Certificate Problem Report
> On Sep 11, 2017, at 17:03, Jeremy Rowley via dev-security-policy > <[email protected]> wrote: > > For a little more context, the idea is that we can speed up the CAA check for > all customers while working with those who have DNSSEC to make sure they > aren't killing performance. If there's a way to group them easily into > buckets (timeout + quick does DNSSEC exist check), working on improving the > experience for that particular set of customers is easier. That bucket can > then be improved later. Given the disaster that DNSSEC+CAA has been over the past few days for multiple CAs and the fact that it’s optional in the CAA RFC, what do you think about proposing a ballot to remove the DNSSEC requirement from the BRs entirely? Jonathan
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
