Hi all, I have a question regarding processing of CAA records for “wildcard certificates”.
Let’s assume the following CSR: X509v3 Subject Alternative Name: DNS: *.example.com DNS: example.com Per BR, every SAN DNS name must be checked separately. Now, my interpretation would be that for *.example.com, you would query example.com for an “issuewild" entry, and for example.com, you would query example.com for an "issue" entry. What if the zone file looks like this: example.com 0 CAA 0 issue “;” example.com 0 CAA 0 issuewild “yourca” My interpretation would be that “yourca” (as any other CA) would not be permitted to issue this certificate, as it is not allowed to issue for the non-wildcard part example.com. A plunge through the related documents [see appendix] seems to point in that direction, but I still have doubts. What is the community interpretation? Kind regards Quirin --------- Appendix: BR defines a wildcard certificate as "Wildcard Certificate: A Certificate containing an asterisk (*) in the left‐most position of any of the Subject Fully‐Qualified Domain Names contained in the Certificate.” —> This means that the whole certificate is a wildcard certificate. — RFC2818: > Names may contain the wildcard character * which is considered to match any > single domain name component or component fragment. E.g., *.a.com matches > foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com. —> example.com is not part of *.example.com RFC6844: > " issuewild <Issuer Domain Name> [; <name>=<value> ]* : The issuewild > property entry authorizes […] to issue wildcard certificates for the > domain in which the property is published." > "Given a request for a specific domain X, or a request for a wildcard > domain *.X, the relevant record set R(X) is determined as follows:” —> The 'relevant record set' is specified per domain > "issuewild properties MUST be ignored when processing a request for a > domain that is not a wildcard domain." —> Especially this last paragraph seems to indicate that the CSR above would not be permitted to be issued. Also, it specifically uses “domain” and not “certificate”. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy