Good day, I want to share what is happening right now with the insistance of a certificat for my domain.
I have setup my CAA record and request a certificat form a new CA, but forgot to correct my CAA record. The certificat insurance fail, all good. I detect the issue but in the mean time I ask support to confirm the issue. This is the message I got : “Upon checking with Comodo's technical team, they advised to remove the CAA records for the domain *** so that your certificate can be issued. Once removed, please write back to us so that I can again contact Comodo to inform that the CAA records are removed on your end.” I understand that the BR allows a CA to produce the certificate is there is no CAA record but I’m surprise that the correction for a CAA record missing the CA is to remove it and not correct it. I’m unsure where to share this story as I see this type of support answers as removing the value of the CAA. If CA support solution is to ask for removal is it not a way to circonvient the intent of providing a way for domain owner to control the list of CA insurer ? If this is the way CA intent to mange CAA record over time what is the long time value of having a record at all? I sceptical that, except people that go above and beyond, they will just remove the record or never create one to start. Maybe that is the intent of ballot 219 that change BR analysis of empty CAA record, I do not know where to look for the discussion on the ballot. I try to find a discussion in this forum about that type of situation and find nothing so I share mine. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
