CAA "issuewild" question

Osiris · September 1, 2021, 7:42pm

You can see the issue/issuewild logic here:

letsencrypt/boulder/blob/4967f0f93287ade920957083e1540deb4ea93386/va/caa.go#L234-L242


      
          	// Per RFC 6844 Section 5.3 "issueWild properties MUST be ignored when
          	// processing a request for a domain that is not a wildcard domain" so we
          	// default to checking the `caaSet.Issue` records and only check
          	// `caaSet.Issuewild` when `wildcard` is true and there is >0 `Issuewild`
          	// records.
          	records := caaSet.Issue
          	if wildcard && len(caaSet.Issuewild) > 0 {
          		records = caaSet.Issuewild
          	}

It uses the issue set of properties of a CAA record by default unless the certificate is a wildcard certificate and there is one or more issuewild properties in the CAA record present. If not, it just uses the default of issue properties.

I'm pretty sure that would violate the BR. Article 3.2.2.8 of the current BR (1.8.0) only specifies that the CA needs to adhere to RFC 8659.

Depends what you want to achieve with that?

Those are the exact two options you've listed in your OP whereas there is a third option: "If no issuewild property has been set, the CA needs to abide to the issue property/properties for wildcard certificates".