There's a specific provision in the CAA checking algorithm that allows CAs to
not even bother checking CAA records if CA operates the nameservers for the
domain.
On Monday, 14 October 2019 04:28:19 UTC+2, Clint Wilson wrote:
> On Thu, Oct 10, 2019 at 11:32 PM Ryan Sleevi via
On Thu, Oct 10, 2019 at 11:32 PM Ryan Sleevi via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thu, Oct 10, 2019 at 11:42 PM Jeremy Rowley via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > Question, is there any prohibition against
On Fri, Oct 11, 2019 at 3:14 PM Doug Beattie
wrote:
> Ryan,
>
> Are you recommending that:
> a) we need a new domain validation method that describes this, or
> b) those CAs that want to play with fire can go ahead and do that based on
> their own individual security analysis, or
> c) we need a
Cc: Ryan Sleevi ; mozilla-dev-security-policy
; Jeremy Rowley
Subject: Re: DNS records and delegation
On Fri, Oct 11, 2019 at 2:10 PM Clint Wilson wrote:
> Apologies, but this isn't entirely clear to me. I'm guessing (hoping)
> my misunderstanding centers around a difference b
On Fri, Oct 11, 2019 at 2:10 PM Clint Wilson wrote:
> Apologies, but this isn't entirely clear to me. I'm guessing (hoping) my
> misunderstanding centers around a difference between the Applicant fully
> delegating DNS to the CA vs the Applicant only configuring a single CNAME
> record? If the
Hello,
I just want to add that Let's Encrypt also allows for this (at least if I
understand what you correctly)
This following is from https://letsencrypt.org/docs/challenge-types/
> Since Let’s Encrypt follows the DNS standards when looking up TXT records
for DNS-01 validation, you can use
On Thu, Oct 10, 2019 at 11:42 PM Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Question, is there any prohibition against demonstration of domain control
> being delegated to a third party or even the CA itself? I don't think so,
> but figured we've
7 matches
Mail list logo
