AGWA
commented
6 years ago Your interpretation is correct. Could you clarify what test you think should be added?
Closed roycewilliams closed 6 years ago
AGWA
commented
6 years ago Your interpretation is correct. Could you clarify what test you think should be added?
roycewilliams
commented
6 years ago If issue is set to permit only the caatestsuite.com CA to issue certificates for example.net, but there is no CAA issuewild record at all, then a query to see if nonallowedca.com can issue a certificate for *.example.net should fail. At least, that's what I think the OP means.
I'm honestly not sure if the original poster has actually observed that behavior in the wild (pun intended) ... but with the nested concepts and double-negative-ish nature of most RFC language, I can see where an implementing CA might the same mistake that the OP is making.
AGWA
commented
6 years ago Ah, thanks for clarifying. This scenario should already be covered by the*.deny.basic.caatestsuite.com test case ("tests proper application of issue property to a wildcard FQDN").
Hopefully this person will chime in if they have actually observed this behavior in the wild (heh). I can also see how a CA could get this wrong.
roycewilliams
commented
6 years ago Roger that - closing. I'll study the test suite more closely.
Someone else's relevant SSL Labs feature request here makes the following claim:
Warn users when they are using "issue" but not using an empty (";") "issuewild" CAA records . It means the presence of their CAA is pretty much useless because they are not forbidding to register a wild-card certificate.
From my reading of RF6C844, I believe that this assertion is incorrect - that failing to include
issuewilddoesn't work that way. But I would also expect such behavior to be non-compliant, and worth testing for.