Ryan Sleevi <[email protected]> wrote:
> That is, an issue/issuewild parameter tag with a CA-specific property
> defined by the CA/Browser Forum (or by IETF) that detailed specific
> provisions for certain CNAMEs children.
Hmm, maybe something like
example.com CAA 0 issue "digicert.com"
example.com CAA 0 override "someapp.example.com issue:letsencrypt.org"
would mean that Digicert can issue certs for anything under example.com
with the exception of 'someapp.example.com', for which only Let's
Encrypt can issue a cert.
Ie, the 'override' tag may override CAA records for the given name. The
name must be within the same domain and must be deeper than where this
CAA record is set.
Let's say that this only is useful for CNAMEs; this would require the CA
to extend the handling of CNAMES:
Let CAA(X) be the record set returned in response to performing a CAA
record query on the label X, P(X) be the DNS label immediately above
X in the DNS hierarchy, O(X) be the result of an override, and A(X)
be the target of a CNAME or DNAME alias record chain specified at the
label X.
o If CAA(X) is not empty, R(X) = CAA (X), otherwise
o If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
CAA(A(X)), otherwise
o If X is not a top-level domain, then
o If R(P(X)) contains an 'override' for X, then R(X) = O(P(X)), otherwise
o R(X) = R(P(X))
otherwise
o R(X) is empty.
> Elegant? No.
Indeed...
-Jan
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
