On Tue, Feb 9, 2021 at 9:22 PM Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Mon, 8 Feb 2021 13:40:05 -0500 > Andrew Ayer via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > The BRs permit CAs to bypass CAA checking for a domain if "the CA or > > an Affiliate of the CA is the DNS Operator (as defined in RFC 7719) > > of the domain's DNS." > > Hmm. Would this exemption be less dangerous for a CA which is the > Registry for the TLD ? Potentially, but that’s not the use case for why this exists. Recall that Registry != Registrar here, and even then, the Operator may be distinct from either of those two. The use case argued was not limited to “just” gTLDs. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy