I don't like erratum 5097. It just deletes the mention of DNAME, which can
easily be misinterpreted as not permitting DNAME following for CAA (or even
worse, allows DNAME to be handled however you want). Erratum 5097 also has not
been approved by IETF (and shouldn't be, for this reason).
The "natural" interpretation of DNAME, which has been discussed on various
CA/Browser forum calls and at the Taiwan face to face meeting, is that DNAME
must be handled in compliance with RFC 6672, which explains how synthesized
CNAMEs work.
My own personal preferred fix for RFC 6844 is to replace "CNAME or DNAME alias
record specified at the label X" with "CNAME alias record specified at the
label X, or a DNAME alias record *in effect at* the label X (see RFC 6672)"
But anyway, I think everyone agrees what we want: DNAMEs work the way they do
everywhere else. There's nothing special about them for CAA.
-Tim
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+thollebeek=trustwave@lists.mozilla.org]
On Behalf Of Andrew Ayer via dev-security-policy
Sent: Wednesday, October 25, 2017 5:05 PM
To: Kathleen Wilson
Cc: Kathleen Wilson via dev-security-policy
;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: DRAFT November 2017 CA Communication
Hi Kathleen,
I suggest being explicit about which CAA errata Mozilla allows.
For CNAME, it's erratum 5065.
For DNAME, it's erratum 5097.
Link to errata:
https://scanmail.trustwave.com/?c=4062=rPzw2czQrwDIggzGnHPfXELR5_onUMc5So6YlzbIiQ=5=https%3a%2f%2fwww%2erfc-editor%2eorg%2ferrata%5fsearch%2ephp%3frfc%3d6844
We don't want CAs to think they can follow any errata they like, or to come up
with their own interpretation of what "natural" means :-)
Regards,
Andrew
On Wed, 25 Oct 2017 12:46:40 -0700 (PDT) Kathleen Wilson via
dev-security-policy wrote:
> All,
>
> I will greatly appreciate your thoughtful and constructive feedback on
> the DRAFT of Mozilla's next CA Communication, which I am hoping to
> send in early November.
>
> https://scanmail.trustwave.com/?c=4062=rPzw2czQrwDIggzGnHPfXELR5_onU
> Mc5St_PkWKbjQ=5=https%3a%2f%2fwiki%2emozilla%2eorg%2fCA%2fCommunic
> ations%23November%5f2017%5fCA%5fCommunication
>
> Direct link to the survey:
> https://scanmail.trustwave.com/?c=4062=rPzw2czQrwDIggzGnHPfXELR5_onU
> Mc5SomUljKdiw=5=https%3a%2f%2fccadb-public%2esecure%2eforce%2ecom%
> 2fmozillacommunications%2fCACommunicationSurveySample%3fCACommunicatio
> nId%3da051J3mogw7
>
> Thanks,
> Kathleen
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://scanmail.trustwave.com/?c=4062=rPzw2czQrwDIggzGnHPfXELR5_onU
> Mc5StnPlmSVhg=5=https%3a%2f%2flists%2emozilla%2eorg%2flistinfo%2fd
> ev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://scanmail.trustwave.com/?c=4062=rPzw2czQrwDIggzGnHPfXELR5_onUMc5StnPlmSVhg=5=https%3a%2f%2flists%2emozilla%2eorg%2flistinfo%2fdev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy