On 15/09/17 20:24, j...@letsencrypt.org wrote: > We would like to ask the Mozilla and Google root programs on this list to > immediately grant at least temporary dispensation for CAs to implement the > CAA checking algorithm as described in this errata: > > https://www.rfc-editor.org/errata/eid5065
Mozilla's current position on CAA checking algorithms is as follows. CAA is now mandatory. As such, we expect all CAs to be making good faith efforts to either: a) do the algorithm in RFC6844, or b) do the algorithm in RFC6844, as amended by erratum 5065 Once a motion passes in the CAB Forum to update the BRs to require b), I would expect CAs in category a) to move to category b) within a reasonable amount of time, such as 3 months. (If the motion fails, I would expect the reverse.) So yes, CAs which wish to do b) may do so according to Mozilla. If such "non-compliance" ends up on an audit report, Mozilla will not consider that material or concerning. There is apparently also an open question about DNAME handling, and another erratum which clarifies things, but my understanding is that the RFC is open to two interpretations, one compatible with the algorithms in the DNAME RFC, and one not. And that no-one uses DNAME in the wild except people trying to test CAA ;-) So until I understand the situation better, my general approach is that CAs may do whatever they can reasonably justify as consistent with the RFC when it comes to DNAME. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
