The LAMPS re-charter is still open for discussion. I personally have no problem with CAA for email being in scope for 6844-bis. I’m actually in favor of that if it really is currently out of scope (I haven’t checked). Best to ask on the LAMPS charter thread.
-Tim From: Wayne Thayer [mailto:wtha...@mozilla.com] Sent: Tuesday, May 15, 2018 12:41 PM To: Tim Hollebeek <tim.holleb...@digicert.com> Cc: Ryan Sleevi <r...@sleevi.com>; Pedro Fuentes <pfuente...@gmail.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: question about DNS CAA and S/MIME certificates I don't see how this debate is leading us to a solution. Can we just acknowledge that, prior to this discussion, the implications of CAA for the issuance of email certificates was not well understood by CAs or domain name registrants? I share the desire to have a system that fails closed in the presence of any CAA record, but that is a challenge as long as ecosystem participants view CAA as applicable only to server certificates. The sooner we address this issue, the better. Mozilla policy isn't a great place to define CAA syntax. The CA/Browser Forum currently has no jurisdiction over email, so at best could define syntax to limit CAA scope to server certificates. The scope of the LAMPS recharter for 6844bis appears too narrow to include this. What is the best path forward? - Wayne On Tue, May 15, 2018 at 9:29 AM Tim Hollebeek via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: Blatantly false. I actually suspect DigiCert might already support CAA for email. I haven’t double-checked. -Tim The only reason that "CAA is HTTPS-only" today is because CAs are not interested in doing the 'right' thing.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
