From: Jacob Hoffman-Andrews [mailto:j...@letsencrypt.org]
Sent: Wednesday, October 4, 2017 4:17 PM
To: Doug Beattie <doug.beat...@globalsign.com>; CA/Browser Forum Public
Discussion List <public@cabforum.org>
Cc: geo...@apple.com
Subject: Re: [cabfpub] CAA look up failures and retr
You make a good point. To reiterate the language from the BRs:
> CAs are permitted to treat a record lookup failure as permission to issue
if:
> • the failure is outside the CA's infrastructure;
> • the lookup has been retried at least once; and
> • the domain's zone does not have a DNSSEC
From: geo...@apple.com [mailto:geo...@apple.com]
Sent: Tuesday, October 3, 2017 10:07 PM
To: Doug Beattie <doug.beat...@globalsign.com>; CA/Browser Forum Public
Discussion List <public@cabforum.org>
Subject: Re: [cabfpub] CAA look up failures and retry logic
On
> On Oct 4, 2017, at 12:01 AM, Doug Beattie via Public
> wrote:
> The BRs say if a lookup has been retried at least once that is permission to
> issue. Does this mean doing
> - a full CAA lookup, or
> - re-doing one failed CAA(X) look-up, or
> -
The BR requirement for retrying failed lookups is ambiguous and we'd like to
receive some clarification, and eventually a ballot to help clarify the BRs.
The BRs stay this:
CAs are permitted to treat a record lookup failure as permission to issue if:
- the failure is outside the CA's