On Tue, Mar 12, 2019 at 12:08 PM Thomas-Louis Laforest via dev-security-policy <[email protected]> wrote:
> Good day, > > I want to share what is happening right now with the insistance of a > certificat for my domain. > > I have setup my CAA record and request a certificat form a new CA, but > forgot to correct my CAA record. > The certificat insurance fail, all good. > > I detect the issue but in the mean time I ask support to confirm the > issue. > > This is the message I got : > > “Upon checking with Comodo's technical team, they advised to remove the > CAA records for the domain *** so that your certificate can be issued. Once > removed, please write back to us so that I can again contact Comodo to > inform that the CAA records are removed on your end.” > > I understand that the BR allows a CA to produce the certificate is there > is no CAA record but I’m surprise that the correction for a CAA record > missing the CA is to remove it and not correct it. > > I’m unsure where to share this story as I see this type of support answers > as removing the value of the CAA. If CA support solution is to ask for > removal is it not a way to circonvient the intent of providing a way for > domain owner to control the list of CA insurer ? > > If this is the way CA intent to mange CAA record over time what is the > long time value of having a record at all? I sceptical that, except people > that go above and beyond, they will just remove the record or never create > one to start. > > Maybe that is the intent of ballot 219 that change BR analysis of empty > CAA record, I do not know where to look for the discussion on the ballot. I > try to find a discussion in this forum about that type of situation and > find nothing so I share mine. > I'm not fully sure I understand your question on Ballot 219. However, I see no issue with CA support directing folks to correct or remove CAA record. In general, if you as a domain holder have set CAA, you're expected to know what to set it to or the implications. If you have administrative control to be able to change your CAA records, then you're ultimately responsible for what that CAA record should say. There are benefits to correcting the CAA record versus removing it, but especially as a support function, it's reasonable to assess and diagnose as they see fit, provided it remains compliant with the Baseline Requirements. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
