> Hi Jacob, > Perhaps not as elegant and concise, but a workaround would be to temporarily > (until 6844-bis gets incorporated into the Baseline Requirements) prohibit > multiple parameters in the same CAA record and instead require that multiple > parameters span multiple issue/issuewild records with the same Issuer Domain > Name. > > For example, the following CAA issue record: > CAA 0 issue "acmeca.com; validationmethods=http-01; > accounturi=https://api.acmeca.com/acct/1"; > > could be expressed with two records: > CAA 0 issue "acmeca.com; validationmethods=http-01" > CAA 0 issue "acmeca.com; accounturi=https://api.acmeca.com/acct/1"; > > This isn't very DRY, but this would avoid interoperability conflicts with > tooling and other CAs that refuse to issue certificates when encountering CAA > records with invalid syntax. This doesn't work; it changes logical-AND to logical-OR.
For > CAA 0 issue "acmeca.com; validationmethods=http-01; > accounturi=https://api.acmeca.com/acct/1"; the account URI AND validation method must match. For > CAA 0 issue "acmeca.com; validationmethods=http-01" > CAA 0 issue "acmeca.com; accounturi=https://api.acmeca.com/acct/1"; at least one of the account URI OR validation method must match. I support sticking with the current draft using semicolons. _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
