Open aarongable opened 7 months ago
I would vote Yes to that change.
The SMIME BR will also address CAA and has no section 3.2.2.8. Consolidating the CAA requirements under 4.2 allows consistency across the two standards. Here's the draft for CAA in the SMIME BR. https://github.com/srdavidson/smime/compare/241e92cde85c25d7e0d4a5c70118ecadacd4d72b...c8b0c9ff9fa28c2c7abeb2871aaa2d60a19842ed
Added this to the scope of the Multi-Perspective Issuance Corroboration work thanks to the reminder from @aarongable.
Updated language can be found here via these commits: https://github.com/ryancdickson/staging/pull/8/commits/0525044a051bad888caf1072111a8c5717fe1cfa and https://github.com/ryancdickson/staging/commit/8315b6a3a338ea6b47cf99979b0d97f61e5f3363
Summary:
@bcmorton / @srdavidson - your review and feedback are welcome, along with other members of the community!
Here's the S/MIME BR (SBR) equivalent. https://github.com/cabforum/smime/pull/228/file For issuers, it's preferable have similar requirements in similar sections. SBR has no 3.2.2.8 so its CAA content is is 4.2.2.1 ... however both the SBR and this text require documentation of CAA practices in section 4.2 so that should be fine.
Currently:
Section 2.2 states
Section 3.2.2.8 is entitled "CAA Records" and contains numerous requirements regarding CAA checking
And Section 4.2 has nothing to say about CAA, despite the fact that CA's are required to document their own CAA-checking practices here, as per Section 2.2.
These should be unified. In my opinion, the paragraph in Section 2.2 should be removed, and anything we want to keep from it should be moved into Section 3.2.2.8. Then CAs can similarly move all of their CAA practices into Section 3.2.2.8 of their CP/CPS.