if they didn't open RDNS clients wouldn't allowed to override it: although I would say that's working as intended, as wriiting a certificate for a year on dynamic IPs that may another person use few days later doesn't look like good idea.
2022년 12월 3일 토요일 오전 1시 59분 1초 UTC+9에 [email protected]님이 작성: > > > On Fri, Dec 2, 2022 at 9:56 AM Paul Wouters <[email protected]> wrote: > >> On Fri, 2 Dec 2022, 'Kurt Seifried' via [email protected] wrote: >> >> > I read it briefly but it seems to me like there's a significant >> failure/abuse scenario: >> > ISP controls an IP block that it portions out to customers. ISP has a >> web server and puts in the IP/IPv6 CAA records. >> > >> > Customers that use delegated IP space from the ISP can now only use >> those CAAs as well if they want to use this standard, correct? >> > >> > If this is correct, and I was a CA and read this I'd be building a >> PowerPoint deck for my sales team on how ISP's can partner with >> > us to get a 20-50% commission on sales of certificates by doing this >> one simple thing... >> >> No, > > >> >> As Antonios wrote: >> >> a CAA record in 2.0.0.c.d.3.d.0.a.2.ip6.arpa takes precedence >> over one in 0.c.d.3.d.0.a.2.ip6.arpa . >> >> Paul >> > > Right, sorry got it backwards, couldn't the ISP also declare a CAA record > at a lower level assuming they control the IP space.... > > >> >> > >> > >> > >> > >> > >> > >> > >> > On Fri, Dec 2, 2022 at 9:23 AM Antonios Chariton <[email protected]> >> wrote: >> > Hello everyone, >> > I have submitted the following Internet Draft to the IETF LAMPS Working >> Group for >> > consideration: https://datatracker.ietf.org/doc/draft-chariton-ipcaa/ >> > >> > You can read the mailing list thread here: >> https://mailarchive.ietf.org/arch/msg/spasm/dQLF1fQQPNX9A59YV4imXRz9ABw/ >> > >> > This proposes the creation of a new CAA record property, on top of the >> existing ones, e.g. “issuewild”, that will allow an >> > entity controlling an IP address to benefit from the power of CAA >> records. >> > >> > The idea is to add CAA records to the “reverse DNS” zones, ip6.arpa and >> in-addr.arpa, that support the hierarchical nature of >> > DNS: a CAA record in 2.0.0.c.d.3.d.0.a.2.ip6.arpa takes precedence over >> one in 0.c.d.3.d.0.a.2.ip6.arpa . >> > >> > As this is relevant to the WebPKI, I am sending this e-mail here to >> solicit your feedback on the idea, any potential >> > improvements, etc. >> > >> > Thanks, >> > Antonis >> > >> > GitHub Repo: https://github.com/daknob/draft-chariton-ipcaa >> > HTML: https://daknob.github.io/draft-chariton-ipcaa/ >> > TXT: https://daknob.github.io/draft-chariton-ipcaa/draft.txt >> > >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "[email protected]" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to >> > [email protected]. >> > To view this discussion on the web visit >> > >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/788376DF-8D67-48E0-AEE1-52085183217D%40gmail.com >> . >> > >> > >> > >> > -- >> > Kurt Seifried (He/Him) >> > [email protected] >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "[email protected]" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > > To view this discussion on the web visithttps:// >> groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa38YV3OgykOCm-x-OR0_Fh8WXNG6g7gNvcUGo9vwG3bKtQ%40mail.gma >> > il.com. >> > >> > >> > > > -- > Kurt Seifried (He/Him) > [email protected] > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/99bcc6d7-b003-4fb6-93d4-a39be9eddf4en%40mozilla.org.
