Dear all,
The vendor of our CA system has started planning for the implementation of DNSSEC validation of Domain Validation and CAA (SC-085v2).
On point came up: We do currently support domain validation method 3.2.2.4.4 Constructed Email to Domain Contact. This is implemented in a way that the CA system has the mail-server configured where it hands off the emails to be sent out.
It's now not really clear how to handle this with respect to DNSSEC validation. Is the expectation of the community that the sending mail-server will have to do DNSSEC validation as described in the TLS BR?
If so, that would have the side-effect that when such a DNSSEC validation fails, the mail-server currently has no way of signaling this failure back to the CA system. This in turn would mean that the customer would simply not receive the constructed email with the token and the domain validation would remain in a "pending" state.
1. What is the community's expectation regarding DNSSEC checks for email-based domain validation methods?
2. How are other CA's implementing this case?
Thanks for any feedback and experience sharing!
Kind regards
Roman
Roman Fischer
Information Security Manager
+41 76 310 12 66
SwissSign AG
Sägereistrasse 25
Postfach
CH-8152 Glattbrugg
swisssign.com
Nichts mehr verpassen: Folgen Sie uns auf LinkedIn!
Abonnieren Sie unseren Newsletter oder besuchen Sie unseren Blog.
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/ZR0P278MB01708F040851FCAA255AFC2EFA30A%40ZR0P278MB0170.CHEP278.PROD.OUTLOOK.COM.
-- Dimitris Zacharopoulos CA/B Forum SCWG Chair