> On Oct 4, 2017, at 12:01 AM, Doug Beattie via Public <[email protected]> > wrote:
> The BRs say if a lookup has been retried at least once that is permission to > issue. Does this mean doing > - a full CAA lookup, or > - re-doing one failed CAA(X) look-up, or > - redoing every CAA(X) lookup that failed in the course of doing a > full CAA validation? > > If we follow the RFC processing logic and we encounter one failed lookup > (e.g., SERVFAIL on shop.example.com <http://shop.example.com/>), then we > retry and it fails again, then do we exit the CAA checking and issue because > the BRs say we may issue if we retry the lookup, which we just did? Reading > the specs this seems to be permitted (we did “a” retry for a failed lookup), > common logic says no. That’s an interesting point. We could treat a (second) failure as meaning: - Assume there is no CAA record here, continue with the algorithm, and maybe find a lower CAA record which denies issuance - Assume there is a CAA record here which specifically allows issuance. I believe the current wording is the second, not the first. I think considering we’re just getting started with mandatory CAA, it’s OK to have this rule at the moment. Switching to the first rule might be a way to tighten things once we’ve gotten some experience.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
