Skip to Content.
Sympa Menu

cacert-policy - Re: implementing testing of new CAA-record in DNS according RFC6844

Subject: Policy-Discussion

List archive

Re: implementing testing of new CAA-record in DNS according RFC6844


Chronological Thread 
  • From: Eva Stöwe <katzazi AT gmx.de>
  • To: cacert-policy AT lists.cacert.org
  • Subject: Re: implementing testing of new CAA-record in DNS according RFC6844
  • Date: Mon, 19 Mar 2018 20:34:50 +0100

Hi Karl-Heinz,

I'm somewhat astonished to read that CAcert is a member of CA/Browser
forum. The last status I was aware of was that CAcert applied for some
kind of interested party status or something like that. Forgot the details.

This likely should be clarified, first. Then there would be the question
if that status (whatever it is) is useful and appropriate for CAcert as
I don't have the feeling that there is a lot of manpower to contribute
for it.

Anyway, before some policy change would be considered, we probably would
need to know more about what exactly is requested. At what step do we
need such a check? And for what? Which kind of certificates?

Kind regards,
Eva


On 19.03.2018 17:25, Karl-Heinz Gödderz wrote:
> Dear policy-group members,
>
> we were informed that
>> since september, 8th, 2017 CAs must check DNS' CAA records. This
>> decision was taken in spring 2017 by CA/Browser forum which CAcert is
>> member of.
>>
>> I can't see that this is already implemented in CAcert's signing
>> software, therefore I would like to ask you to take care of.
> does anyone from this group know if we have to change one of our
> policies to be allowed to implement this imperative?
>
> I couldn't find any in CPS. Which more policies do apply?
>
> Greetings
> Karl-Heinz
>
>
> * more information https://tools.ietf.org/html/rfc6844
>


Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.18.

Top of Page