Corey Bonnell via dev-security-policy
wrote:
> If I recall correctly, there was some discussion in late 2017 in the
> IETF LAMPS WG (the working group producing the successor to the
> current CAA RFC 6844)
Thanks for noting this. Sounds like that's the best group to continue
the discussion in.
Matt Palmer via dev-security-policy
wrote:
> I've read through your posts on this topic several times, and I still don't
> understand the problem you're trying to solve. If you point a CNAME at
> someone else, then you're delegating to them control of that name. If they
> set CAA records on t
Ryan Sleevi wrote:
> That is, an issue/issuewild parameter tag with a CA-specific property
> defined by the CA/Browser Forum (or by IETF) that detailed specific
> provisions for certain CNAMEs children.
Hmm, maybe something like
example.com CAA 0 issue "digicert.com"
example.com CAA 0 override
Ryan Sleevi via dev-security-policy
wrote:
> I don't think we here will really be able to do anything for this; as you
> note, this is really a question about fundamental DNS specification, and
> whether or not other records can live along-side a CNAME. That seems like
> it'd be IETF's DNS grou
Ryan Sleevi wrote:
> I?m not sure I follow - when you go someapp.example.com to
> someapp.thirdparty.example, and they point to somewhere.somecdn.example,
> why is the assumption that somewhere.somecdn.example WOULDN?T place a CAA
> record?
It's been my observation that those systems do not set C
Hello,
While this is at its core a DNS question, since it's about CAA records
and cert issuance, I thought to post it here as well. If this is viewed
as off-topic, my apologies.
It seems to me that the behavior in combination with CNAMEs is
suboptimal at best. I believe we need to allow CAAs to
Hello,
I'm seeking clarification on the meaning of the CAA records:
RFC6844 notes that the 'issue' property entry "authorizes the holder of
the domain name *or a party acting under the
explicit authority of the holder of that domain name* to issue
certificates for the domain in which the propert
7 matches
Mail list logo