I don't see how this debate is leading us to a solution. Can we just acknowledge that, prior to this discussion, the implications of CAA for the issuance of email certificates was not well understood by CAs or domain name registrants?
I share the desire to have a system that fails closed in the presence of any CAA record, but that is a challenge as long as ecosystem participants view CAA as applicable only to server certificates. The sooner we address this issue, the better. Mozilla policy isn't a great place to define CAA syntax. The CA/Browser Forum currently has no jurisdiction over email, so at best could define syntax to limit CAA scope to server certificates. The scope of the LAMPS recharter for 6844bis appears too narrow to include this. What is the best path forward? - Wayne On Tue, May 15, 2018 at 9:29 AM Tim Hollebeek via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Blatantly false. I actually suspect DigiCert might already support CAA > for email. I haven’t double-checked. > > > > -Tim > > > > The only reason that "CAA is HTTPS-only" today is because CAs are not > interested in doing the 'right' thing. > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy