Agree on both points.
From: Ryan Sleevi <[email protected]> Date: Thursday, 10 October 2019 at 18:16 To: Yaron Sheffer <[email protected]> Cc: Thomas Fossati <[email protected]>, Ryan Sleevi <[email protected]>, "[email protected]" <[email protected]> Subject: Re: [Acme] Fwd: New Version Notification for draft-ietf-acme-star-delegation-01.txt On Thu, Oct 10, 2019 at 5:22 AM Yaron Sheffer <[email protected]> wrote: I am wondering though about this sentence: A CA can "also offer additional validation methods/issuance flows which also use the "dns-01" method." Doesn't specifying "dns-01" restrict the CA to one particular validation/authorization flow? No. There's a gap in the assumption here, which is that the CA MUST support draft-ietf-acme-caa, which is not specified, and were it specified, runs into the set of issues covered in https://tools.ietf.org/html/draft-ietf-acme-caa-10#section-5 However, setting that aside, the dns-01 validation method alone doesn't restrict the issuance pattern to just being STAR, which is the assertion "To restrict certificate delegation only to the protocol defined here:"
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
