On 04/21/2016 12:45 PM, Hugo Landau wrote: > https://datatracker.ietf.org/doc/draft-landau-acme-caa/
This mostly looks good to me. A few comments: A little while back when we first discussed this, I proposed using ACME account URLs rather than thumbprints. At the time I could have gone either way, but thinking about it more, that seems like the right level of abstraction. The point of the record is to authorize a specific account, rather than a key. This also means that the CAA account binding spec doesn't have to be so tightly coupled with the details of how ACME request authentication works. Also, I think the security section should mention that the CAA model of evaluating from the leftmost label means that this is not an effective means of controlling issuance in organizations where DNS for subdomains is delegated to parties that may configure a different CAA record. The security section could stand to be a little more pointed about the risks for non-DNSSEC-enabled domains: Network attackers that could spoof an ACME validation response could also spoof a CAA response authorizing an attacker-chosen account key. Thanks, Jacob _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
