Hi Michel, > On 23. Jul 2018, at 22:36, michel.lebihan2000--- via dev-security-policy > <[email protected]> wrote: > > I think my domain registrar just violated my CAA by issuing that > certificate. Where they allowed to issue this certificate?
the name servers for lebihan.pl are ns[1-3].nazwa.pl. , which indicates that your hoster (nazwa.pl) also operates your name servers. The certificate is issued by nazwaSSL, which links to Certum’s roots. Checking against current version 1.6.0 of BRs, Sec 3.2.2.8 reads: "CAA checking is optional if the CA or an Affiliate of the CA is the DNS Operator (as defined in RFC 7719) of the domain's DNS.” So, if am not mistaken at some step, this is probably OK per current CAB BRs. Kind regards Quirin _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
