On 18/03/2019 02:05, Nick Lamb wrote:
On Fri, 15 Mar 2019 19:41:58 -0400
Jonathan Rudenberg via dev-security-policy
<[email protected]> wrote:
I've noted this on a similar bug and asked for details:
https://bugzilla.mozilla.org/show_bug.cgi?id=1524733
I can't say that this pattern gives me any confidence that the CA
(CFCA) does CAA checks which are required by the BRs.
I mean, how do you do a CAA check for a name that can't even exist? If
you had the technology to run this check, and one possible outcome is
"name can't even exist" why would you choose to respond to that by
issuing anyway, rather than immediately halting issuance because
something clearly went badly wrong? So I end up thinking probably CFCA
does not actually check names with CAA before issuing, at least it does
not check the names actually issued.
Technically, the name can exist, if (for some bad reason) ICANN were to
create the con. TLD (which would be a major invitation to phishing).
As "not found" is a permissive CAA check result, CAA checking may be
perfectly fine in this case.
Domain control validation however obviously failed, as no one controls
the non-existent domain, and thus no one could have proven control of
that domain.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
