On Wed, Feb 10, 2021 at 02:21:53AM +, Nick Lamb via dev-security-policy
wrote:
> On Mon, 8 Feb 2021 13:40:05 -0500
> Andrew Ayer via dev-security-policy
> wrote:
>
> > The BRs permit CAs to bypass CAA checking for a domain if "the CA or
> > an Affiliate of the CA is the DNS Operator (as defi
On Tue, Feb 9, 2021 at 9:22 PM Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Mon, 8 Feb 2021 13:40:05 -0500
> Andrew Ayer via dev-security-policy
> wrote:
>
> > The BRs permit CAs to bypass CAA checking for a domain if "the CA or
> > an Affiliate of the CA
On Mon, 8 Feb 2021 13:40:05 -0500
Andrew Ayer via dev-security-policy
wrote:
> The BRs permit CAs to bypass CAA checking for a domain if "the CA or
> an Affiliate of the CA is the DNS Operator (as defined in RFC 7719)
> of the domain's DNS."
Hmm. Would this exemption be less dangerous for a CA w
On Mon, Feb 8, 2021 at 1:40 PM Andrew Ayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> The BRs permit CAs to bypass CAA checking for a domain if "the CA or
> an Affiliate of the CA is the DNS Operator (as defined in RFC 7719)
> of the domain's DNS."
>
> Much like the
The BRs permit CAs to bypass CAA checking for a domain if "the CA or
an Affiliate of the CA is the DNS Operator (as defined in RFC 7719)
of the domain's DNS."
Much like the forbidden "any other method" of domain validation, the DNS
operator exception is perilously under-specified. It doesn't say h
5 matches
Mail list logo