On Mon, May 13, 2019 at 01:35:09AM -0700, Mike Kushner via dev-security-policy
wrote:
> On Monday, May 13, 2019 at 1:39:32 AM UTC+2, Matt Palmer wrote:
> > On Sat, May 11, 2019 at 08:37:53AM -0700, Han Yuwei via dev-security-policy
> > wrote:
> > > This raised a question:
> > > How can CA prove
On Monday, May 13, 2019 at 1:39:32 AM UTC+2, Matt Palmer wrote:
> On Sat, May 11, 2019 at 08:37:53AM -0700, Han Yuwei via dev-security-policy
> wrote:
> > This raised a question:
> > How can CA prove they have done CAA checks or not at the time of issue?
>
> They can't, just as they can't
On Sat, May 11, 2019 at 08:37:53AM -0700, Han Yuwei via dev-security-policy
wrote:
> This raised a question:
> How can CA prove they have done CAA checks or not at the time of issue?
They can't, just as they can't prove they have or haven't done
domain-control validation. It's up to audits,
On Fri, 10 May 2019 02:05:17 +
Jeremy Rowley via dev-security-policy
wrote:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1550645
>
> Anyway, let me know what questions, comments, etc you have.
Thanks Jeremy,
If DigiCert is able to retrospectively achieve confidence that issuance
would
This raised a question:
How can CA prove they have done CAA checks or not at the time of issue?
在 2019年5月10日星期五 UTC+8上午10:05:36,Jeremy Rowley写道:
> FYI, we posted this today:
>
>
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1550645
>
>
>
> Basically we discovered an issue with our
better understand the compliance implications.
From: Ryan Sleevi
Sent: Friday, May 10, 2019 2:16 PM
To: Jeremy Rowley
Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: CAA record checking issue
On Fri, May 10, 2019 at 3:55 PM Jeremy Rowley
On Fri, May 10, 2019 at 3:55 PM Jeremy Rowley
wrote:
> The analysis was basically that all the verification documents are still
> good, which means if we issued the cert today, the issuance would pass
> without further checks (since the data itself is good for 825 days).
> Because of this,
: CAA record checking issue
On Thu, May 9, 2019 at 10:05 PM Jeremy Rowley via dev-security-policy
mailto:dev-security-policy@lists.mozilla.org> > wrote:
We checked all the applicable CAA records and found 16 where the CAA record
would not permit us to issue if we were issuing a ne
-Original Message-
From: Tim Shirley
Sent: Friday, May 10, 2019 7:30 AM
To: Jeremy Rowley ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: CAA record checking issue
Jeremy,
Thanks for sharing this. After reading your description, I'm curious how your
system was previously
Okay. I'm working on something and will post it soon.
From: Ryan Sleevi
Sent: Friday, May 10, 2019 11:54:14 AM
To: Jeremy Rowley
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: CAA record checking issue
On Thu, May 9, 2019 at 10:05 PM Jeremy
On Thu, May 9, 2019 at 10:05 PM Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> We checked all the applicable CAA records and found 16 where the CAA record
> would not permit us to issue if we were issuing a new cert today. What we
> are proposing is to
Jeremy,
Thanks for sharing this. After reading your description, I'm curious how your
system was previously (or is now) satisfying the third criteria needed to issue
in the face of a record lookup failure: confirming that the domain's zone does
not have a DNSSEC validation chain to the ICANN
12 matches
Mail list logo
