On 23/02/17 09:36, Dimitris Zacharopoulos wrote: > "CAA checking is optional for certificates issued by a Technically > Constrained Subordinate CA in line with Section 7.1.5, where the lack of > CAA checking is an explicit contractual provision in the contract with > the Applicant".
I'm happy to accept that as a friendly amendment, if it brings the language of this ballot into line with the excellent work you have been doing on clarifying language elsewhere. > I am also not sure how "the domain's zone does not have a DNSSEC > validation chain to the ICANN root" comes into play. If a site is using DNSSEC to secure its validation records, it is not acceptable for a DNS lookup failure to "fail open". If they are not using DNSSEC, it is under certain conditions (see below). > I guess my ignorant questions is, what happens if a domain does > not use DNSSEC (which applies for most domains out there) that chain to > an ICANN root? CAA fails and automatically grants permission for issuance? It's like the ballot says - if a domain is not using DNSSEC, CAs may treat a lookup failure as permission to issue as long as the failure is not their fault and they've retried the lookup at least once. Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
