Hi,
inspired by the ballot paragraph [1], I set up a domain that is fully DNSSEC
signed [2], but does not reply to CAA queries (timeout).
I could obtain certificates for this domain from Buypass and Startcom [3].
Other CAs (RapidSSL, GeoTrust, LetsEncrypt) have refused to issue, and GoDaddy
an
Hi Quirin,
I was going to reply to your email after investigating what happened, but since
you´ve posted here, I can share it.
I think most of the CAs are strugling with the DNSSEC interpretation or how to
solve some of the issues.
In our case, I can tell the following:
The DNSSEC checking is
Hi
Buypass received the problem report at 2017-09-12 00:06 and started
investigating early this morning.
After investigating what happened we identified an error in our system solution
when we have a CAA RR lookup failure. In this case, the DNS CAA RR lookup timed
out several times and we mis
On Tuesday, 12 September 2017 10:38:56 UTC+1, Inigo Barreira wrote:
> Futhermore, according to the logs, at the time of checking for a CAA record,
> there was none. The lookup was succesful and hence allowed the issuance.
Given that this contradicts the facts alleged in Quirin's tests and the
f
On 11/09/17 22:28, Jeremy Rowley wrote:
> I would support that. I can't recall why it's in there.
As the drafter of the section :-), my intent was to make it so that if a
site owner were concerned about the possibility that their CAA record or
DNS could be spoofed, they could use DNSSEC to solve
Ok, let me investigate this further, maybe I didn´t catch it rightly.
For the record, the certificate was revoked
Best regards
Iñigo Barreira
CEO
StartCom CA Limited
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org]
Hello,
Here is the new version of the draft updated according to the discussion on
mozilla-dev-security list.
-- Forwarded message --
From:
Date: Tue, Sep 12, 2017 at 3:55 PM
Subject: New Version Notification for draft-belyavskiy-certificate-l
imitation-policy-04.txt
To: Dmitry B
Hi all,
We´ve checked logs and still don´t have a final conclussion but some clues
about it.
There were 2 attempts to request a cert for crossbear.org, the first one was
10 minutes before and was rejected because of timeout but the second, the
one issued, permitted the issuance.
# 1st request fo
On 11/09/17 15:30, Rob Stradling via dev-security-policy wrote:
Hi Hanno. Thanks for reporting this to us. We acknowledge the problem,
and as I mentioned at [1], we took steps to address it this morning.
We will follow-up with an incident report ASAP.
INCIDENT REPORT
We received two Proble
Hi all,
Thank you for the replies. I am glad that there is agreement these certificates
should not have been issued.
I am confident that the test behaved correctly, the last edit on the zone file
was on Aug 31 17:24, and it reads:
crossbear.org. 0 CAA 0 issue ";"
So even
On Friday, September 8, 2017 at 3:25:20 PM UTC-4, Andrew Ayer wrote:
> The BRs state:
>
> "Effective as of 8 September 2017, section 4.2 of a CA's Certificate
> Policy and/or Certification Practice Statement (section 4.1 for CAs
> still conforming to RFC 2527) SHALL state the CA's policy or practi
11 matches
Mail list logo
