On 14/04/15 13:09, Kurt Roeckx wrote:
On 2015-04-14 13:54, Rob Stradling wrote:
On 14/04/15 12:38, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for
whitehouse[dot]gov and let's further suppose that CNNIC includes this
cert in the CT data since they have agreed to do that. What happens
next?
What I've been wondering about is whether we need a mechanism where the
CT log should approve the transition from one issuer to an other.
Kurt, isn't CAA (RFC6844) the tool for this job?
I don't see everybody publishing that. Or do you want to make it a
requirement that everybody publishes such a record?
I don't think domain owners should be required to publish CAA records.
BTW, effective tomorrow, the CABForum BRs require that...
"A CA’s CPS must state whether it reviews CAA Records, and if so, its
policy or practice on processing CAA records for Fully Qualified Domain
Names."
I'd like to eventually see a requirement that all CAs MUST process CAA
records. One step at a time though.
Kurt
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
