> On Sep 11, 2017, at 17:41, Ryan Sleevi via dev-security-policy > <[email protected]> wrote: > > That seems like very poor logic and justification. > > Given that CAA and DNSSEC has been discussed in the CA/Browser Forum for > literally years now, perhaps it's worth asking why CAs are only now > discovering issues. That is, is the only reason we're discovering issues > because CAs waited for the last possible moment? If so, why.
I think the BR clause that brings DNSSEC in is poorly drafted. It seems like the intent may be to require full DNSSEC validation for CAA lookups, but that’s not what it says. I don’t think the issues under discussion have anything to do with the last moment. There appear to be significant differences in understanding, which were not discussed publicly until now. The ideal path here would have been for CAs to consult with the community about the interpretation and implementation details of this clause well before it came into force. Additionally, it may be a stretch to say that DNSSEC in the context of CAA has been discussed extensively. I’m not familiar with relevant discussions that are not indexed by Google, but when I researched this I only found a few exchanges about this specific requirement on the public mailing list. https://cabforum.org/pipermail/public/2016-November/008831.html https://cabforum.org/pipermail/public/2017-February/009732.html > I think arguments that suggest that failing to do the right thing makes it > OK to do the wrong thing are the worst arguments to make :) My argument is not that it’s okay to do the wrong thing. Instead, I think it’s worth evaluating the DNSSEC requirement to decide whether it should continue to be defined as "the right thing” in the BRs. I did not see any such analysis on cabfpub. Jonathan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
