On Sat, Mar 18, 2017 at 1:08 PM, Phillip Hallam-Baker <ph...@hallambaker.com > wrote:
> > > On Tue, Mar 14, 2017 at 2:24 PM, Richard Barnes <r...@ipv.sx> wrote: > >> >> >> On Tue, Mar 14, 2017 at 12:24 PM, Hugo Landau <hlan...@devever.net> >> wrote: >> >>> > > The CAA check is/was easy to make and crippling it >>> > > by not making it a requirement was IMNSHO a mistake. >>> > ... >>> > > I urge the WG to reconsider. >>> > >>> > Does anyone else agree with Viktor? Please speak up on the list this >>> week if so. >>> >>> I'd agree that the CAA check should be made mandatory. At least, I can't >>> think of any good reason why it shouldn't be. >>> >> >> I very strongly disagree. What checks the CA does before issuing is up >> to the CA's policy. This document provides tools for CAs to do those >> checks; it does not constrain what CAs do. >> >> >> >>> I'd also agree that the use of a DNSSEC-validating resolver accessed via >>> a trusted network (preferably localhost) should be mandatory. >>> >> >> Likewise. >> >> >> --Richard >> > > If that were so, why does ACME have any support for DNS validation? It > is merely CA policy after all. > > The point of CAA is that it is the one mechanism that is provided to allow > domain owners to signal to third parties what parties they authorize to > issue certs. > > In my view CAA should be mandatory for the reasons above. > > The other reason for making CAA mandatory is that if we are going to fully > automate the issue process, we might well want to use information in the > CAA records to facilitate that. That was the reason I thought Paul > Hoffman's idea of using the DNS name rather than a policy oid or some PKIX > identifier was the right approach. > This specification has always been focused on providing tools for CAs, *not* on constraining what CAs must do. What MUSTs there are in the specification are to make clear the mechanisms that the specifications define, not to specify CA policy. CAA is clearly on the other side of that line -- it's not a part of the mechanisms we define in this specification, but a totally separate mechanism that CAs apply to vet requests. It's much more like high-value name checking than DNS validation. I would be fine adding a line to the "CA Policy Considerations" section [1], which is where other similar things have gone. To be clear: I think CAA checking is a good idea, and I'm delighted that CABF recently decided to require it [2]. I just don't think it's appropriate for ACME to require it. --Richard [1] https://ietf-wg-acme.github.io/acme/#rfc.section.10.5 [2] https://cabforum.org/pipermail/public/2017-March/009988.html
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
