Interpretation of the value "caatestsuite.com" for issue or issuewild tag

[nic2re]

Hi,

First, thank you for this page. It can help me, for my intership, to test the different wrong cases. But, for some tests, i don't understand why a CA can't issue certificates. For example :

• deny.basic.caatestsuite.com => the CAA record looks like good, isn't it ??
• *.deny-wild.basic.caatestsuite.com => the CAA record contains a correct syntax with issuewild, isnt' it ?
• the tests with CAA pointed by CNAME => i don't find any information in the RFC that forbid it...

Thanks for your help.

[nic2re]

Another example : deny.permit.basic.caatestsuite.com

This FQDN contains a good syntax of CAA record, but the parent not. Why the CA can't issue a certificate, while the CAA record is OK ?? In RFC, we stop the search as soon as we find a correct syntax of CAA record, isn't it ?

[AGWA]

The content of these CAA records is caatestsuite.com. Since there is no CA which owns that domain or is authorized to use that domain, no CA is allowed to issue when these records are present. If an actual CA domain were specified instead, that CA would be allowed to issue.

CNAME records are discussed in section 4 of RFC 6844, which is modified by erratum 5065.

[nic2re]

Thank you for your response. I haven't read the errata document before...

I have anyway a different reading of the value "caatestsuite.com" (for issue or issuewild tag). The RFC 6844 talk about, in section 5.2, certificate issuer and not domain name's owner or CA authorized to use it :

For example, the following CAA record set requests that no certificates be issued for the domain 'certs.example.com' by any certificate issuer other than the example.net certificate issuer. certs.example.com CAA 0 issue "example.net"

"caatestsuite.com" is protected by a certificate issued by Comodo. So, for me, only Comodo authorized to issue certificate for deny.basic.caatestsuite.com.

What do you think of it ?