Reviewer: John Levine Review result: Ready with Nits This draft adds a new "issuemail" property to the CAA RRTYPE to manage S/MIME records. Its tag syntax is identical to the existing "issue" and "issuewild" properties. Section 3 repeats the entire definition of the issue property tag syntax rather than saying "The issuemail Property Tag has the same syntax as the issue Property Tag" but it's OK as is. The draft wisely does not attempt to deal with individual email addresses, since we have yet to invent a method to put them in the DNS in a way that correctly represents them and scales. It's never been clear how one ensures that the requestor for a S/MIME cert is authorized to ask for a cert for the address, since from the outside you can't tell anything about the relationship between a domain and e-mail addresses at that domain. (Consider, for example, addresses at gmail.com. ietf.org, and fbi.gov.) While this change doesn't make the authorization issue any worse, it also doesn't improve it. It'd be worth a sentence in the security section to remind people that the CAA restrictions have to be used along with some other way to check whether it is OK for the CA to sign a cert for a specific address. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call