On 24/02/17 12:36, Ryan Sleevi wrote: > My belief and support is that the intent of "operated by the CA or an > Affiliate of the CA" was to match the terminology from RFC 7719, which > would specifically mean the interpetation (b), and the answer to the > hypothetical question is "No, demonstration of control of a record is > not sufficient, demonstration of operation of the authoritative name > servers is" > > Is that consistent with the intent Gerv? If so, does that look like > something you see as easy to correct? I'm wondering whether introducing > RFC 7719 as the normative dependency might provide better clarity to > this question.
Yes, I think this is what I mean, and using the terminology from RFC 7719 seems sensible. Consider the relevant bullet changed to: * CAA checking is optional if the CA or an Affiliate of the CA is the DNS Operator (as defined in RFC 7719) of the domain's DNS "RFC 7719" would be a link. Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
