W dniu 25.07.2018 o 23:21, Quirin Scheitle via dev-security-policy pisze:
Hi Michel,On 23. Jul 2018, at 22:36, michel.lebihan2000--- via dev-security-policy <[email protected]> wrote: I think my domain registrar just violated my CAA by issuing that certificate. Where they allowed to issue this certificate?the name servers for lebihan.pl are ns[1-3].nazwa.pl. , which indicates that your hoster (nazwa.pl) also operates your name servers. The certificate is issued by nazwaSSL, which links to Certum’s roots. Checking against current version 1.6.0 of BRs, Sec 3.2.2.8 reads: "CAA checking is optional if the CA or an Affiliate of the CA is the DNS Operator (as defined in RFC 7719) of the domain's DNS.” So, if am not mistaken at some step, this is probably OK per current CAB BRs.
Hi, Thank you.I checked logs. In the moment of performing CAA verification for lebihan.pl domain we found "certum.pl":
lebihan.pl. 300 IN CAA 0 issue "certum.pl" "certum.pl" is specified in our CPS as an accepted CAA record.I would like to highlight that we always check CAA record. Even if "the CA or an Affiliate of the CA is the DNS Operator (as defined in
RFC 7719) of the domain's DNS" -- Wojciech Trapczyński
smime.p7s
Description: Kryptograficzna sygnatura S/MIME
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
