That seems like very poor logic and justification. Given that CAA and DNSSEC has been discussed in the CA/Browser Forum for literally years now, perhaps it's worth asking why CAs are only now discovering issues. That is, is the only reason we're discovering issues because CAs waited for the last possible moment? If so, why.
Because they didn't write test suites? If not, why not? If so, what were they? I think arguments that suggest that failing to do the right thing makes it OK to do the wrong thing are the worst arguments to make :) On Mon, Sep 11, 2017 at 2:28 PM Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I would support that. I can't recall why it's in there. > > -----Original Message----- > From: Jonathan Rudenberg [mailto:jonat...@titanous.com] > Sent: Monday, September 11, 2017 3:19 PM > To: Jeremy Rowley <jeremy.row...@digicert.com> > Cc: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: CAA Certificate Problem Report > > > > On Sep 11, 2017, at 17:03, Jeremy Rowley via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > For a little more context, the idea is that we can speed up the CAA > check for all customers while working with those who have DNSSEC to make > sure they aren't killing performance. If there's a way to group them > easily into buckets (timeout + quick does DNSSEC exist check), working on > improving the experience for that particular set of customers is easier. > That bucket can then be improved later. > > Given the disaster that DNSSEC+CAA has been over the past few days for > multiple CAs and the fact that it’s optional in the CAA RFC, what do you > think about proposing a ballot to remove the DNSSEC requirement from the > BRs entirely? > > Jonathan > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
