I concur with Wayne's position that the discussion up to this point isn't leading to a solution.
I represent nothing further than that I'm a systems and DNS administrator and domain holder (and thus, I submit, an interested and not entirely uninformed ecosystem participant) who has had an understanding historically (whether or not correct) that CAA pertained to server certificates. On Tue, May 15, 2018 at 11:40 AM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I don't see how this debate is leading us to a solution. Can we just > acknowledge that, prior to this discussion, the implications of CAA for the > issuance of email certificates was not well understood by CAs or domain > name registrants? > > I share the desire to have a system that fails closed in the presence of > any CAA record, but that is a challenge as long as ecosystem participants > view CAA as applicable only to server certificates. The sooner we address > this issue, the better. > > Mozilla policy isn't a great place to define CAA syntax. The CA/Browser > Forum currently has no jurisdiction over email, so at best could define > syntax to limit CAA scope to server certificates. The scope of the LAMPS > recharter for 6844bis appears too narrow to include this. What is the best > path forward? > > - Wayne > > On Tue, May 15, 2018 at 9:29 AM Tim Hollebeek via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Blatantly false. I actually suspect DigiCert might already support CAA > > for email. I haven’t double-checked. > > > > > > > > -Tim > > > > > > > > The only reason that "CAA is HTTPS-only" today is because CAs are not > > interested in doing the 'right' thing. > > > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy