On Fri, Jul 07, 2023 at 10:06:15AM +1000, Fraser Tweedale wrote: > - The main problem solved in my draft was: "in this /network > environment/, what ACME servers can/should I use?" The CAA-based > proposal answers a different question: "for this /domain/, what > ACME server should I use?" But (a) why would a domain owner need > to control this, and (b) it doesn't actually solve the problem > stated in the abstract: > > > This often leaves domain owners at the mercy of their hosting > > provider as to which Certification Authorities (CAs) can be used. > > The hosting provider can still control which ACME servers can be > reached, regardless of the preferences expressed via CAA records. >
With respect to (a) - never mind. I thought about it some more and the answer is obvious. Where a CA authorization (i.e. restriction) exists in the form of a CAA record, it is useful to be able to direct a client to the authorized issuer(s) for the affected domain(s). I see that your draft solves a real problem. But it does not help much in enterprise environments, where the question is often "find me /some/ ACME server that I can reach/use, or which the administrators prefer". Two different problems, two complementary approaches. Thanks, Fraser _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme