Hello Carl, Thank you for your review and I apologize for my extremely tardy response.
On Mon, May 18, 2020 at 11:41 AM Carl Mehner <[email protected]> wrote: > Looking at the latest draft for acme-client, I noticed that it mentions > CAA: > CAA helps as anyone verifying a certificate used for code signing can > verify that the CA used has been authorized to issue certificates for > that organization. > > However, in the CAA RFC it states: > Relying Applications MUST > NOT use CAA records as part of certificate validation. > > I propose removing the statement in acme-client about CAA that is quoted > above. > I recall having gone through this conversation before to wind up where the draft is now. RFC8555 has the following: caaIdentities (optional, array of string): The hostnames that the ACME server recognizes as referring to itself for the purposes of CAA record validation as defined in [RFC6844 <https://tools.ietf.org/html/rfc6844>]. Each string MUST represent the same sequence of ASCII code points that the server will expect to see as the "Issuer Domain Name" in a CAA issue or issuewild property tag. This allows clients to determine the correct issuer domain name to use when configuring CAA records. Section 9.7.8 has the following: Validation methods do not have to be compatible with ACME in order to be registered. For example, a CA might wish to register a validation method to support its use with the ACME extensions to CAA [ACME-CAA <https://tools.ietf.org/html/rfc8555#ref-ACME-CAA>]. Section 11.2 has the following: An ACME-based CA must only use a resolver if it trusts the resolver and every component of the network route by which it is accessed. Therefore, it is RECOMMENDED that ACME-based CAs operate their own DNSSEC-validating resolvers within their trusted network and use these resolvers both for CAA record lookups and all record lookups in furtherance of a challenge scheme (A, AAAA, TXT, etc.). As you point out, https://tools.ietf.org/html/rfc6844, advises against its use. I am happy to edit to consensus. If a change is needed, I can turn that around quickly. Best regards, Kathleen -carl mehner > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme > -- Best regards, Kathleen
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
