Re: question about DNS CAA and S/MIME certificates

Tue, 15 May 2018 09:45:06 -0700 

I concur with Wayne's position that the discussion up to this point isn't
leading to a solution.

I represent nothing further than that I'm a systems and DNS administrator
and domain holder (and thus, I submit, an interested and not entirely
uninformed ecosystem participant) who has had an understanding historically
(whether or not correct) that CAA pertained to server certificates.

On Tue, May 15, 2018 at 11:40 AM, Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> I don't see how this debate is leading us to a solution. Can we just
> acknowledge that, prior to this discussion, the implications of CAA for the
> issuance of email certificates was not well understood by CAs or domain
> name registrants?
>
> I share the desire to have a system that fails closed in the presence of
> any CAA record, but that is a challenge as long as ecosystem participants
> view CAA as applicable only to server certificates. The sooner we address
> this issue, the better.
>
> Mozilla policy isn't a great place to define CAA syntax. The CA/Browser
> Forum currently has no jurisdiction over email, so at best could define
> syntax to limit CAA scope to server certificates. The scope of the LAMPS
> recharter for 6844bis appears too narrow to include this. What is the best
> path forward?
>
> - Wayne
>
> On Tue, May 15, 2018 at 9:29 AM Tim Hollebeek via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > Blatantly false.  I actually suspect DigiCert might already support CAA
> > for email.  I haven’t double-checked.
> >
> >
> >
> > -Tim
> >
> >
> >
> > The only reason that "CAA is HTTPS-only" today is because CAs are not
> > interested in doing the 'right' thing.
> >
> >
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
              • Re:... Matthew Hardeman via dev-security-policy
              • Re:... Ryan Sleevi via dev-security-policy
              • Re:... Matthew Hardeman via dev-security-policy
              • Re:... Ryan Sleevi via dev-security-policy
              • Re:... Matthew Hardeman via dev-security-policy
              • Re:... Ryan Sleevi via dev-security-policy
              • RE:... Tim Hollebeek via dev-security-policy
              • Re:... Ryan Sleevi via dev-security-policy
              • RE:... Tim Hollebeek via dev-security-policy
              • Re:... Wayne Thayer via dev-security-policy
              • Re:... Matthew Hardeman via dev-security-policy
              • RE:... Tim Hollebeek via dev-security-policy
              • Re:... Ryan Sleevi via dev-security-policy
              • RE:... Tim Hollebeek via dev-security-policy
              • Re:... Ryan Sleevi via dev-security-policy
              • RE:... Tim Hollebeek via dev-security-policy
              • Re:... Phillip Hallam-Baker via dev-security-policy
              • RE:... Tim Hollebeek via dev-security-policy
        • Re: question abo... Adrian R. via dev-security-policy
  • Re: question about DNS CAA an... Phillip Hallam-Baker via dev-security-policy

Reply via email to