I would support that. I can't recall why it's in there. -----Original Message----- From: Jonathan Rudenberg [mailto:jonat...@titanous.com] Sent: Monday, September 11, 2017 3:19 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CAA Certificate Problem Report
> On Sep 11, 2017, at 17:03, Jeremy Rowley via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > For a little more context, the idea is that we can speed up the CAA check for > all customers while working with those who have DNSSEC to make sure they > aren't killing performance. If there's a way to group them easily into > buckets (timeout + quick does DNSSEC exist check), working on improving the > experience for that particular set of customers is easier. That bucket can > then be improved later. Given the disaster that DNSSEC+CAA has been over the past few days for multiple CAs and the fact that it’s optional in the CAA RFC, what do you think about proposing a ballot to remove the DNSSEC requirement from the BRs entirely? Jonathan
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy