Well, we are checking CAA and DNSSEC per our implementation. Looks great on our side and against our tests. Some individuals disagree though.
From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Monday, September 11, 2017 3:42 PM To: Jeremy Rowley <jeremy.row...@digicert.com>; Jonathan Rudenberg <jonat...@titanous.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CAA Certificate Problem Report That seems like very poor logic and justification. Given that CAA and DNSSEC has been discussed in the CA/Browser Forum for literally years now, perhaps it's worth asking why CAs are only now discovering issues. That is, is the only reason we're discovering issues because CAs waited for the last possible moment? If so, why. Because they didn't write test suites? If not, why not? If so, what were they? I think arguments that suggest that failing to do the right thing makes it OK to do the wrong thing are the worst arguments to make :) On Mon, Sep 11, 2017 at 2:28 PM Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: I would support that. I can't recall why it's in there. -----Original Message----- From: Jonathan Rudenberg [mailto:jonat...@titanous.com <mailto:jonat...@titanous.com> ] Sent: Monday, September 11, 2017 3:19 PM To: Jeremy Rowley <jeremy.row...@digicert.com <mailto:jeremy.row...@digicert.com> > Cc: mozilla-dev-security-pol...@lists.mozilla.org <mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: CAA Certificate Problem Report > On Sep 11, 2017, at 17:03, Jeremy Rowley via dev-security-policy > <dev-security-policy@lists.mozilla.org > <mailto:dev-security-policy@lists.mozilla.org> > wrote: > > For a little more context, the idea is that we can speed up the CAA check for > all customers while working with those who have DNSSEC to make sure they > aren't killing performance. If there's a way to group them easily into > buckets (timeout + quick does DNSSEC exist check), working on improving the > experience for that particular set of customers is easier. That bucket can > then be improved later. Given the disaster that DNSSEC+CAA has been over the past few days for multiple CAs and the fact that it’s optional in the CAA RFC, what do you think about proposing a ballot to remove the DNSSEC requirement from the BRs entirely? Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy