I was thinking that the text as drafted in RFC 6844 does what was intended which was that if any CAA records were present in a record set, issue of certificates would be restricted to CAs that were explicitly authorized to issue at least one class of certificate.
To answer the question in a more restrictive fashion. "It is my understanding that the text as drafted prohibits issue of a wildcard certificate by a CA not authorized by an issue record if the record set only contains issue records." -----Original Message----- From: Rob Stradling [mailto:[email protected]] Sent: Thursday, June 22, 2017 4:39 PM To: Phillip <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]>; 'Ryan Sleevi' <[email protected]>; 'Peter Bowen' <[email protected]> Subject: Re: [cabfpub] "[UNVERIFIED SENDER]Re: no CAA authorizations -- RFC 6844 On 22/06/17 21:13, Phillip via Public wrote: > I am pretty sure that Peter and myself only diverged in our > interpretation of the original proposal from Iida. Phill, you wrote earlier: "It is my understanding that the text as drafted prohibits issue of a wildcard certificate if the record set only contains issue records and issue of a non wildcard certificate if the record set only contains issuewild records." Which document is the "text as drafted" that you're referring to? I suspect that Peter and Ryan both thought that you were referring to RFC6844. (And indeed, if you're not referring to RFC6844, I'm not sure which document you are referring to!) -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
