Re: CAA Certificate Problem Report

I concur in full with Nick Lamb's comments and positions on this matter. There is no reasonable short cut to actually doing the DNSSEC thing if we want to usefully intertwine those technologies at all. There IS significant benefit in enforcing complete DNSSEC validation for (all) the domain

Re: CAA Certificate Problem Report

Gerv, rather than start by digging into the specific technical details, let me ask a high level question. Suppose I have deployed DNSSEC for my domain tlrmx.org and I have a CAA record saying to only permit the non-existent Gotham Certificates gotham.example to issue. You say you don't want

Re: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone

Hi, just wanted to update that Certum has also issued on this domain: https://crt.sh/?id=209378608 I have opened a support ticket, which has led to revocation but not a qualified statement as to what happened yet. Kind regards Quirin smime.p7s Description: S/MIME cryptographic signature

Re: [saag] Fwd: New Version Notification for draft-belyavskiy-certificate-limitation-policy-04.txt

Dear Nikos, On Wed, Sep 13, 2017 at 9:39 AM, Nikos Mavrogiannopoulos wrote: > On Tue, Sep 12, 2017 at 2:59 PM, Dmitry Belyavsky > wrote: > > Hello, > > > > Here is the new version of the draft updated according to the discussion > on > > mozilla-dev-security

RE: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone

Thanks Quirin, we´re working with Primekey to know what happened (we´ll generate a report once known) and will contact you if necessary to check that info you have. Regarding the logs, the log message actually means that CAA either explicitly permitted the issuance, or implicitly permitted