On 08/09/17 20:24, Andrew Ayer via dev-security-policy wrote:
The BRs state:
"Effective as of 8 September 2017, section 4.2 of a CA's Certificate
Policy and/or Certification Practice Statement (section 4.1 for CAs
still conforming to RFC 2527) SHALL state the CA's policy or practice
on processing CAA Records for Fully Qualified Domain Names; that policy
shall be consistent with these Requirements. It shall clearly specify
the set of Issuer Domain Names that the CA recognises in CAA 'issue' or
'issuewild' records as permitting it to issue. The CA SHALL log all
actions taken, if any, consistent with its processing practice."
Since it is now 8 September 2017, I decided to spot check the CP/CPSes
of some CAs.
At time of writing, the latest published CP/CPSes of the following CAs
are not compliant with the above provision of the BRs:
<snip>
Comodo (https://www.comodo.com/about/comodo-agreements.php) - Does not
specify issuer domain names
Andrew, thanks for bringing this to our attention.
Our CPS has now been updated.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
