I think CAA is and should be HTTPS only until there are clear rules for how it should work for email, and how to keep web CAA from interfering with email CAA. E-mail is currently the wild west and that needs to be fixed.
I’m strongly in favor of email CAA, once we get it ‘right’. But there’s no document out there that specifies what ‘right’ is yet. And there isn’t much value to CAA if only a few CAs do it. That’s why I think we need 8644-bis first. Or another RFC explaining CAA for email. -Tim From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Tuesday, May 15, 2018 12:44 PM To: Tim Hollebeek <tim.holleb...@digicert.com> Cc: r...@sleevi.com; Pedro Fuentes <pfuente...@gmail.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: question about DNS CAA and S/MIME certificates Tim, Could you clarify then. Are you disagreeing that CAA is HTTPS only? As these were your words only 3 hours ago - https://groups.google.com/d/msg/mozilla.dev.security.policy/NIc2Nwa9Msg/0quxT0CpCQAJ On Tue, May 15, 2018 at 12:28 PM, Tim Hollebeek <tim.holleb...@digicert.com <mailto:tim.holleb...@digicert.com> > wrote: Blatantly false. I actually suspect DigiCert might already support CAA for email. I haven’t double-checked. -Tim The only reason that "CAA is HTTPS-only" today is because CAs are not interested in doing the 'right' thing.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy