Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify RRsets with no issue/issuewild. #1

Merged
merged 3 commits into from
May 30, 2018
Merged

Clarify RRsets with no issue/issuewild. #1

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6a1c822
Update ABNF for issuevalue per Corey Bonnell.
jsha May 30, 2018
675a115
Clarify RRsets with no issue/issuewild.
jsha Mar 26, 2018
65a5665
Clarify based on list feedback.
jsha May 30, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 15 additions & 8 deletions draft-ietf-lamps-rfc6844bis.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -438,18 +438,15 @@ authorization to specific certificate issuers.
The CAA issue property value has the following sub-syntax (specified
in ABNF as per {{!RFC5234}}).

issuevalue = space \[domain] space \[";" *(space parameter) space]
issuevalue = *WSP [domain] *WSP [";" *WSP [parameters] *WSP]

domain = label *("." label)
label = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT))

space = *(SP / HTAB)

parameter = tag "=" value

tag = 1*(ALPHA / DIGIT)

value = *VCHAR
parameters = (parameter *WSP “;” *WSP parameters) / parameter
parameter = tag *WSP "=" *WSP value
tag = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT))
value = *(%x21-3A / %x3C-7E)

For consistency with other aspects of DNS administration, domain name
values are specified in letter-digit-hyphen Label (LDH-Label) form.
Expand Down Expand Up @@ -483,6 +480,11 @@ CAA authorizations are additive; thus, the result of specifying both
the empty issuer and a specified issuer is the same as specifying
just the specified issuer alone.

A non-empty CAA record set that contains no issue property tags
is authorization to any certificate issuer to issue for the corresponding
domain, provided that it is a non-wildcard domain, and no records in the
CAA record set otherwise prohibit issuance.

An issuer MAY choose to specify issuer-parameters that further
constrain the issue of certificates by that issuer, for example,
specifying that certificates are to be subject to specific validation
Expand All @@ -507,6 +509,11 @@ If at least one issuewild property is specified in the relevant
CAA record set, all issue properties MUST be ignored when
processing a request for a domain that is a wildcard domain.

A non-empty CAA record set that contains no issue or issuewild property tags
is authorization to any certificate issuer to issue for the corresponding
wildcard domain, provided that no records in the CAA record set otherwise
prohibit issuance.

## CAA iodef Property

The iodef property specifies a means of reporting certificate issue
Expand Down