On Wed, Feb 10, 2021 at 02:21:53AM +0000, Nick Lamb via dev-security-policy 
> On Mon, 8 Feb 2021 13:40:05 -0500
> Andrew Ayer via dev-security-policy
> <dev-security-policy@lists.mozilla.org> wrote:
> > The BRs permit CAs to bypass CAA checking for a domain if "the CA or
> > an Affiliate of the CA is the DNS Operator (as defined in RFC 7719)
> > of the domain's DNS."
> Hmm. Would this exemption be less dangerous for a CA which is the
> Registry for the TLD ?

I understand this would remove one way to shoot yourself in the foot.

> [...], but it seems like it's pretty clear
> that either you are the registry for some TLD or you aren't, and so
> that confusion ought not to arise in this case.

The argument is that theoretically this could work, but in practice people get
this wrong. Examples were given that confusion in fact happens.

pozdrawiam / best regards
Wojtek Porczyk
Graphene / Invisible Things Lab
 I do not fear computers,
 I fear lack of them.
    -- Isaac Asimov

Attachment: signature.asc
Description: PGP signature

dev-security-policy mailing list

Reply via email to