Let me pull the data and share it with you. For some reason we saw a few sub domains right before the 8th. We added *.digicerts.com at the last minute until we had time to figure out why. I suspect it's being caused by documentation or a partner telling the customers the wrong thing. Once we track down the source, we can drop the wildcard.
> On Sep 11, 2017, at 5:09 AM, Gervase Markham <g...@mozilla.org> wrote: > > Hi Ben and Jeremy, > >> On 09/09/17 01:25, Ben Wilson wrote: >> Those are typos. See section 4.2.1 of our CPS posted here: >> https://www.digicert.com/wp-content/uploads/2017/09/DigiCert_CPS_v412.pdf > > This reads: > > "The Certification Authority CAA identifying domains for CAs within > DigiCert’s operational control are “digicert.com”, “digicert.ne.jp”, > "cybertrust.ne.jp”, and any domain containing those identifying domains > as suffixes (e.g. *.digicert.com)." > > This latter part, while not perhaps being against the letter of the RFC, > is somewhat unhelpful for people who want to write software working with > CAA, because they now can't just load it with a per-CA list of valid > domain names, but have to post-process and stem the value in this case. > Are you certain you need that provision? > > Gerv > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy