Closed tfmtfm closed 7 years ago
Symantec GeoTrust, Thawte, RapidSSL
So they are already included.
I'm not exactly sure why that is there - but when you choose that option it adds "symantec.com" to the CAA list.
This is not correct (as seen in that info pointing at RapidSSL's website).
I suspect that somebody has followed the advice on some reseller who supply GeoTrust, Thawte and RapidSSL in addition to Symantec certificates (possibly outdated info from a time when only symantec actually checked CAA records?)
Symantec owns GeoTrust, Thawte, and RapidSSL, and symantec.com
can be used for all of their brands according to their recent CA Communication with Mozilla. If you have evidence to the contrary (e.g. you can't issue a cert from RapidSSL when your CAA record lists symantec.com
), please re-open this issue. Thanks!
I'm not sure I agree with closing this.
While including symantec.com
may well allow RapidSSL and Thawte to also issue certs the reverse shouldn't hold true. Surely the point of CAA is to restrict CAs to the ones you use. So if I want to restrict to RapidSSL but not allow the other Symantec brands to issue certs then surely this tool should help me set the CAA record accordingly? Especially given the various certificate issuance problems Symante have had in the past! Granted if you are worried about that then probably should move to a completely different CA but still, restricting the CAA record as much as possible is surely a prudent move?
@bazzadp This is not my call. It's how Symantec processes CAA records, so if you have an issue with it you need to take it up with them.
Note, however, that Symantec, RapidSSL, Thawte, GeoTrust are literally the same, and in fact some of the problems with "Symantec" that were discussed this year actually occurred under the GeoTrust and RapidSSL brands.
I also agree with @bazzadp s point. If rapidssl checks for its own domain in CAA records (in addition to symantec.com, I presume), I think this tool should allow users to create such records.
If Geotrust doesn't block a certificate request for a domain whose CAA restricts it only to rapidssl, it's pointless.
Agree on the "Symantec" issue.
So are you saying that by adding rapidssl.com
(but not symantec.com
) to your CAA record then all Symantec brands can issue certs for that site? Would be nice to get that clarified because that is not my understanding of how CAA should work!
Yes, adding rapidssl.com (but not symantec.com) to your CAA record set would allow all Symantec brands to issue. Since RapidSSL and Symantec are the same, this would not be contrary to the CAA standard.
Well that sucks. But if that's true then your reason for closing is indeed valid. Might run some tests after the September deadline next time I need to buy a cert.
RapidSSL say they support CAA:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO28449