Closed roycewilliams closed 6 years ago
Your interpretation is correct. Could you clarify what test you think should be added?
If issue
is set to permit only the caatestsuite.com
CA to issue certificates for example.net
, but there is no CAA issuewild
record at all, then a query to see if nonallowedca.com
can issue a certificate for *.example.net
should fail. At least, that's what I think the OP means.
I'm honestly not sure if the original poster has actually observed that behavior in the wild (pun intended) ... but with the nested concepts and double-negative-ish nature of most RFC language, I can see where an implementing CA might the same mistake that the OP is making.
Ah, thanks for clarifying. This scenario should already be covered by the*.deny.basic.caatestsuite.com
test case ("tests proper application of issue property to a wildcard FQDN").
Hopefully this person will chime in if they have actually observed this behavior in the wild (heh). I can also see how a CA could get this wrong.
Roger that - closing. I'll study the test suite more closely.
Someone else's relevant SSL Labs feature request here makes the following claim:
Warn users when they are using "issue" but not using an empty (";") "issuewild" CAA records . It means the presence of their CAA is pretty much useless because they are not forbidding to register a wild-card certificate.
From my reading of RF6C844, I believe that this assertion is incorrect - that failing to include
issuewild
doesn't work that way. But I would also expect such behavior to be non-compliant, and worth testing for.