[dns-operations] Browser and CA enforcement of CAA records?
Paul Hoffman
phoffman at proper.com
Thu May 25 02:26:01 UTC 2017
On 24 May 2017, at 15:34, Ángel wrote:
> On 2017-05-24 at 08:04 -0700, Paul Hoffman wrote:
>> I think Andrew's question was not what are browsers supposed to do
>> with
>> CAA, but what are they actually doing. I'm interested in that as
>> well.
>>
>> --Paul HOffman
>
> Why would they be doing anything with them?
Because they didn't read the spec.
> They would have needed to add code to query and check a DNS entry that
> is unneeded for its usecase and the specification clearly says they
> MUST
> NOT use.
Correct.
> I find rfc6844 is very clear on this:
>> «it is possible
>> that a certificate that is not conformant with the CAA records
>> currently published was conformant with the CAA records published
>> at
>> the time that the certificate was issued. Relying Applications
>> MUST
>> NOT use CAA records as part of certificate validation.»
>>
> -- https://tools.ietf.org/html/rfc6844#section-1
I know; I helped write that text during the development of the spec.
That doesn't mean that everyone is following it.
--Paul Hoffman
More information about the dns-operations
mailing list