It was certainly the intention that presence of an issue prevents issue of wildcard certs.
I will re-read that section and report. Meanwhile, I have had some comment on the discovery fixup and will rev that. > On Jun 22, 2017, at 8:34 AM, Gervase Markham via Public <[email protected]> > wrote: > > On 22/06/17 06:42, y-iida--- via Public wrote: >> <C> Likewise, when there are some relevant CAA records, but no >> CAA with "issuewild" property tag at all for a certificate >> domain, we will issue wildcard certificate for that domain. > > You should read RFC6844 carefully, but to my understanding, this is > incorrect. If there is an "issue" property but no "issuewild" property, > then the "issue" property also controls the issuance of wildcard certs. > So you need to respect it in that case. > > Gerv > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
