AGWA
commented
7 years ago Wouldn't it make sense to still allow people to check off say globalsign and get the hex value for it even though globalsign doesn't currently respect CAA records?
The problem is that there is no way of knowing what domain name a CA will recognize when they do start respecting CAA. If a CA has already committed to a domain name, I'll consider this. Otherwise I'd rather wait until September when every CA will be required to respect CAA and publish their domain name in their CPS.
This would then make it so the ones that DO support CAA record checking to not issue certificates for domains that don't have appropriate records.
This is already possible today. If you don't check any of the boxes, the CAA record (issue ";") won't allow any CAA-respecting CA to issue.
Wouldn't it make sense to still allow people to check off say globalsign and get the hex value for it even though globalsign doesn't currently respect CAA records? This would then make it so the ones that DO support CAA record checking to not issue certificates for domains that don't have appropriate records.