There's a specific provision in the CAA checking algorithm that allows CAs to
not even bother checking CAA records if CA operates the nameservers for the
domain.
On Monday, 14 October 2019 04:28:19 UTC+2, Clint Wilson wrote:
> On Thu, Oct 10, 2019 at 11:32 PM Ryan Sleevi via dev-security-polic
On Thu, Oct 10, 2019 at 11:32 PM Ryan Sleevi via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thu, Oct 10, 2019 at 11:42 PM Jeremy Rowley via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > Question, is there any prohibition against demonstra
On Fri, Oct 11, 2019 at 3:14 PM Doug Beattie
wrote:
> Ryan,
>
> Are you recommending that:
> a) we need a new domain validation method that describes this, or
> b) those CAs that want to play with fire can go ahead and do that based on
> their own individual security analysis, or
> c) we need a
ilson
Cc: Ryan Sleevi ; mozilla-dev-security-policy
; Jeremy Rowley
Subject: Re: DNS records and delegation
On Fri, Oct 11, 2019 at 2:10 PM Clint Wilson wrote:
> Apologies, but this isn't entirely clear to me. I'm guessing (hoping)
> my misunderstanding centers around a d
On Fri, Oct 11, 2019 at 2:10 PM Clint Wilson wrote:
> Apologies, but this isn't entirely clear to me. I'm guessing (hoping) my
> misunderstanding centers around a difference between the Applicant fully
> delegating DNS to the CA vs the Applicant only configuring a single CNAME
> record? If the Ap
Hello,
I just want to add that Let's Encrypt also allows for this (at least if I
understand what you correctly)
This following is from https://letsencrypt.org/docs/challenge-types/
> Since Let’s Encrypt follows the DNS standards when looking up TXT records
for DNS-01 validation, you can use CNAME
On Thu, Oct 10, 2019 at 11:42 PM Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Question, is there any prohibition against demonstration of domain control
> being delegated to a third party or even the CA itself? I don't think so,
> but figured we've discus
Question, is there any prohibition against demonstration of domain control
being delegated to a third party or even the CA itself? I don't think so, but
figured we've discussed differences in interpretation a lot lately so wanted to
see if people agreed.
Section 3.2.2.4.7 in the CAB/F requires
8 matches
Mail list logo