On 30/11/17 14:52, Ryan Sleevi wrote: > I think that, as CAA deployment becomes common, this pattern will be > not-uncommon. I would hope we don't sound false alarms when it does.
After a little time (as it does seem some bugs are still being shaken out), I am considering having Mozilla adopt a policy either of: a) not accepting CAA violation reports from people other than the owners of the domain in question; or b) automatically believing the CA if they post a log which shows their view of the DNS at the time of issuance. We could start with b), but if CAs get a high load of reports still, we could move to a). Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
