John: > > Reviewer: John Levine > Review result: Ready with Nits > > This draft adds a new "issuemail" property to the CAA RRTYPE to manage > S/MIME records. Its tag syntax is identical to the existing "issue" > and "issuewild" properties. Section 3 repeats the entire definition of > the issue property tag syntax rather than saying "The issuemail > Property Tag has the same syntax as the issue Property Tag" but it's > OK as is. > > The draft wisely does not attempt to deal with individual email > addresses, since we have yet to invent a method to put them in the DNS > in a way that correctly represents them and scales. > > It's never been clear how one ensures that the requestor for a S/MIME > cert is authorized to ask for a cert for the address, since from the > outside you can't tell anything about the relationship between a > domain and e-mail addresses at that domain. (Consider, for example, > addresses at gmail.com. ietf.org, and fbi.gov.) While this change > doesn't make the authorization issue any worse, it also doesn't > improve it. It'd be worth a sentence in the security section to remind > people that the CAA restrictions have to be used along with some other > way to check whether it is OK for the CA to sign a cert for a specific > address. The CA/Browser Forum has defined several mechanisms for a use to demonstrate that they have access to send and receive email at a particular mailbox. That said, I'm not sure it is a topic for this document. Russ -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
