Re: [cabfpub] Question on BR BR 7.1.4.2.2(j) - Other Subject Attributes

2017-08-18 Thread Ryan Sleevi via Public
On Fri, Aug 18, 2017 at 11:14 AM, Doug Beattie wrote: > > > > > *From:* Ryan Sleevi [mailto:sle...@google.com] > *Sent:* Friday, August 18, 2017 10:33 AM > *To:* Doug Beattie > *Cc:* CA/Browser Forum Public Discussion List

Re: [cabfpub] Two CAA questions

2017-08-18 Thread Phillip via Public
One of the main things that CAs do as part of their business is precisely helping the customer configure their server to use the product. This is only one of dozens of misconfiguration issues that arise. DNSSEC is complex enough in itself. One of the side effects of DNSSEC is that it will

[cabfpub] Out of Office

2017-08-18 Thread denise.rodriguez--- via Public
Hello Everyone, Thank you for your message. I am currently out of the office. I will be returning the 28th of August. For urgent matters, you can contact Nicole Wayland. Regards, Denise ___ Public mailing list Public@cabforum.org

Re: [cabfpub] Ballot XXX: Canonicalise formal name of the Baseline Requirements

2017-08-18 Thread Ryan Sleevi via Public
Google will endorse On Fri, Aug 18, 2017 at 10:49 AM, Jeremy Rowley via Public < public@cabforum.org> wrote: > Digicert will endorse > > On Aug 18, 2017, at 8:46 AM, Gervase Markham via Public < > public@cabforum.org> wrote: > > [Can I get two endorsers for this administrative ballot? -- Gerv] >

[cabfpub] Ballot XXX: Canonicalise formal name of the Baseline Requirements

2017-08-18 Thread Gervase Markham via Public
[Can I get two endorsers for this administrative ballot? -- Gerv] *Ballot XXX: Canonicalise formal name of the Baseline Requirements* Purpose of Ballot: to make the formal name of the Baseline Requirements document clear, as use is not currently consistent. The following motion has been

Re: [cabfpub] Question on BR BR 7.1.4.2.2(j) - Other Subject Attributes

2017-08-18 Thread Ryan Sleevi via Public
On Fri, Aug 18, 2017 at 10:25 AM, Doug Beattie wrote: > Hi Kirk and Ryan, > > > > I think this points out a couple of important changes we should make to > the BRs: > > > > 1) We should clarify which fields can’t have just meta data characters. > The statement is

Re: [cabfpub] Question on BR BR 7.1.4.2.2(j) - Other Subject Attributes

2017-08-18 Thread Doug Beattie via Public
Hi Kirk and Ryan, I think this points out a couple of important changes we should make to the BRs: 1) We should clarify which fields can’t have just meta data characters. The statement is currently ambiguous in 2 ways: 1.1) It’s listed under “Other Subject Attributes” which implies it’s OK in

Re: [cabfpub] Two CAA questions

2017-08-18 Thread Ryan Sleevi via Public
On Fri, Aug 18, 2017 at 7:25 AM, Gervase Markham via Public < public@cabforum.org> wrote: > Is anyone able to explain why this scenario is at all common? Why would > the authoritative nameservers for a domain refuse to answer queries, if > the owner of the domain wanted the domain to work at all?

Re: [cabfpub] Question on BR BR 7.1.4.2.2(j) - Other Subject Attributes

2017-08-18 Thread Ryan Sleevi via Public
Hi Kirk, Your email may be confusing somethings. This is related to Entrust's issuance of non-BR compliant certificates, https://bugzilla.mozilla.org/show_bug.cgi?id=1390996 , correct? Hopefully you'll have a chance to reply there, even if to only acknowledge receipt and that Entrust is

Re: [cabfpub] Two CAA questions

2017-08-18 Thread Gervase Markham via Public
On 02/08/17 23:40, philliph--- via Public wrote: >> We cannot, however, determine whether the "domain’s zone does not have >> a DNSSEC validation chain to the ICANN root" because the domain's zone >> authoritative name servers are refusing to answer our DNS queries. >> >> This scenario is

Re: [cabfpub] Two CAA questions

2017-08-18 Thread Gervase Markham via Public
On 02/08/17 23:40, philliph--- via Public wrote: >> We cannot, however, determine whether the "domain’s zone does not have >> a DNSSEC validation chain to the ICANN root" because the domain's zone >> authoritative name servers are refusing to answer our DNS queries. >> >> This scenario is