First, I want to make a suggestion, and that is possibility for a permanent domain authorization.
The CABF says that it is permitted to use SPKI hash or CSR hash as authentication token, without any nonce. Since SPKI hash is static for the same public key, and the CSR hash is static if you use the same CSR all the time, it would be permitted as a pre-authorization. Thus avoiding a unnecessary restart of the name server each renew. This could be combined with that the CAA record must specify that permanent authorization is permitted for that host. An question about CAA: Why was it decided to use a new record type of CAA instead of using TXT? Using TXT to convey policies has been something that have been in use for a long time, for example "v=spf1 +mx -all". Same with SMTP-STS. The main problem of introducing new record types is that DNS providers & web hosts need to implement support for these, both in their DNS servers and/or their web interfaces. Using TXT for this, example: "v=caa1; f=128; t=issue; d=letsencrypt.org <http://d=letsencrypt.org/> ;", gives the same advantages, but also the advantage that any DNS operator supporting TXT, will also support the new policy. the record type 99 (SPF) was depreciated for this very reason.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
