Re: [cabfpub] Ballot 187 - Make CAA Checking Mandatory

On Sat, Feb 25, 2017 at 5:20 PM, Peter Bowen wrote: > > Consider Public Key Pinning for HTTP. If example.com sets a pin with > “includeSubdomains”, then it applies to shop.example.com. If > shopcorp.example set a pin with includeSubdomains it does not apply to > shop.example.com.

Re: [cabfpub] Ballot 187 - Make CAA Checking Mandatory

On 25/02/17 16:16, phill...@comodo.com wrote: The sequence is: beta.shop.example.com shop.example.com xmpl.cdn.bighost.com cdn.bighost.com * xmpl.cdnhost.xyz * cdnhost.xyz * xyz * shop.example.com example.com com Why the second "shop.example.com" ? Now if people were to say they think

Re: [cabfpub] Ballot 187 - Make CAA Checking Mandatory

> On Feb 25, 2017, at 8:16 AM, philliph--- via Public > wrote: > > >> On Feb 24, 2017, at 9:17 PM, Peter Bowen wrote: >> >> On Fri, Feb 24, 2017 at 5:49 PM, philliph--- via Public >> wrote: >>> On the CAA recursive part, I am

Re: [cabfpub] Ballot 187 - Make CAA Checking Mandatory

> On Feb 24, 2017, at 9:17 PM, Peter Bowen wrote: > > On Fri, Feb 24, 2017 at 5:49 PM, philliph--- via Public > wrote: >> On the CAA recursive part, I am trying to track down why there is an >> existing errata that makes a normative change with held for

Re: [cabfpub] Assuring trust in website identities

Kirk, I’m glad to hear you support my proposal. I did realize, after reading Ryan’s email, the sunset probably needs to be a rolling date to handle the BR “phase in” period. So the rule needs to effectively be: * Effective July 1, 2017, unexpired OV/IV SSL certificates must be revoked