It is not clear which of us you are responding to.
Let us consider the case proposed: * Domain example.com has an issue entry for CA alice.com but no issuewild * Certificate requested for *.example.com from bob.com So section 5.3 does not apply. There is no issuewild to take priority. The request has a wildcard so the requirement to ignore issuewild records for a non wildcard does not apply. No issuewild properties are specified. So the second part does not apply. From: Peter Bowen [mailto:[email protected]] Sent: Thursday, June 22, 2017 2:59 PM To: Phillip <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Cc: [email protected]; [email protected] Subject: Re: "[UNVERIFIED SENDER]Re: [cabfpub] no CAA authorizations -- RFC 6844 I believe that this is a misreading, based on section 5.3: <https://tools.ietf.org/html/rfc6844#section-5.3> 5.3. CAA issuewild Property The issuewild property has the same syntax and semantics as the issue property except that issuewild properties only grant authorization to issue certificates that specify a wildcard domain and issuewild properties take precedence over issue properties when specified. Specifically: issuewild properties MUST be ignored when processing a request for a domain that is not a wildcard domain. If at least one issuewild property is specified in the relevant CAA record set, all issue properties MUST be ignored when processing a request for a domain that is a wildcard domain. This makes it clear that issue property applies when a wildcard domain is processed unless there is an issuewild property. Thanks, Peter On Jun 22, 2017, at 11:46 AM, Phillip via Public <[email protected] <mailto:[email protected]> > wrote: It is my understanding that the text as drafted prohibits issue of a wildcard certificate if the record set only contains issue records and issue of a non wildcard certificate if the record set only contains issuewild records. My reasoning is as follows: The relevant parts of the specification are: 4. Certification Authority Processing Before issuing a certificate, a compliant CA MUST check for publication of a relevant CAA Resource Record set. If such a record set exists, a CA MUST NOT issue a certificate unless the CA determines that either (1) the certificate request is consistent with the applicable CAA Resource Record set or (2) an exception specified in the relevant Certificate Policy or Certification Practices Statement applies. A certificate request MAY specify more than one domain name and MAY specify wildcard domains. Issuers MUST verify authorization for all the domains and wildcard domains specified in the request. 3. The CAA RR Type issue <Issuer Domain Name> [; <name>=<value> ]* : The issue property entry authorizes the holder of the domain name <Issuer Domain Name> or a party acting under the explicit authority of the holder of that domain name to issue certificates for the domain in which the property is published. issuewild <Issuer Domain Name> [; <name>=<value> ]* : The issuewild property entry authorizes the holder of the domain name <Issuer Domain Name> or a party acting under the explicit authority of the holder of that domain name to issue wildcard certificates for the domain in which the property is published. Section 4 specifies that the CA MUST NOT issue a certificate unless... 'is consistent' If we were to interpret 'is consistent' as meaning that the absence of an authorization record implies authorization than the whole specification becomes meaningless. The argument made that silence on issue permits issuewild would apply just as well to issue. Proposed resolution: I do not believe that the text as written is ambiguous. However, 'out of an abundance of caution and to eliminate any possible doubt, I propose an errata to read as follows: Existing text 4. Certification Authority Processing Before issuing a certificate, a compliant CA MUST check for publication of a relevant CAA Resource Record set. If such a record set exists, a CA MUST NOT issue a certificate unless the CA determines that either (1) the certificate request is consistent with the applicable CAA Resource Record set or (2) an exception specified in the relevant Certificate Policy or Certification Practices Statement applies. Replacement text 4. Certification Authority Processing Before issuing a certificate, a compliant CA MUST check for publication of a relevant CAA Resource Record set. If such a record set exists, a CA MUST NOT issue a certificate unless the CA determines that either (1) the certificate request is consistent with and explicitly authorized by the applicable CAA Resource Record set or (2) an exception specified in the relevant Certificate Policy or Certification Practices Statement applies. -----Original Message----- From: Public [mailto:[email protected]] On Behalf Of philliph--- via Public Sent: Thursday, June 22, 2017 10:47 AM To: Gervase Markham <[email protected] <mailto:[email protected]> >; CA/Browser Forum Public Discussion List <[email protected] <mailto:[email protected]> > Subject: Re: [cabfpub] no CAA authorizations -- RFC 6844 It was certainly the intention that presence of an issue prevents issue of wildcard certs. I will re-read that section and report. Meanwhile, I have had some comment on the discovery fixup and will rev that. On Jun 22, 2017, at 8:34 AM, Gervase Markham via Public <[email protected] <mailto:[email protected]> > wrote: On 22/06/17 06:42, y-iida--- via Public wrote: <C> Likewise, when there are some relevant CAA records, but no CAA with "issuewild" property tag at all for a certificate domain, we will issue wildcard certificate for that domain. You should read RFC6844 carefully, but to my understanding, this is incorrect. If there is an "issue" property but no "issuewild" property, then the "issue" property also controls the issuance of wildcard certs. So you need to respect it in that case. Gerv _______________________________________________ Public mailing list [email protected] <mailto:[email protected]> https://cabforum.org/mailman/listinfo/public _______________________________________________ Public mailing list [email protected] <mailto:[email protected]> https://cabforum.org/mailman/listinfo/public _______________________________________________ Public mailing list [email protected] <mailto:[email protected]> https://cabforum.org/mailman/listinfo/public
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
