Agree on both points.
From: Ryan Sleevi <ryan-i...@sleevi.com> Date: Thursday, 10 October 2019 at 18:16 To: Yaron Sheffer <yaronf.i...@gmail.com> Cc: Thomas Fossati <thomas.foss...@arm.com>, Ryan Sleevi <ryan-i...@sleevi.com>, "acme@ietf.org" <acme@ietf.org> Subject: Re: [Acme] Fwd: New Version Notification for draft-ietf-acme-star-delegation-01.txt On Thu, Oct 10, 2019 at 5:22 AM Yaron Sheffer <yaronf.i...@gmail.com> wrote: I am wondering though about this sentence: A CA can "also offer additional validation methods/issuance flows which also use the "dns-01" method." Doesn't specifying "dns-01" restrict the CA to one particular validation/authorization flow? No. There's a gap in the assumption here, which is that the CA MUST support draft-ietf-acme-caa, which is not specified, and were it specified, runs into the set of issues covered in https://tools.ietf.org/html/draft-ietf-acme-caa-10#section-5 However, setting that aside, the dns-01 validation method alone doesn't restrict the issuance pattern to just being STAR, which is the assertion "To restrict certificate delegation only to the protocol defined here:"
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
