Agreed, I look forward to discussing this with the whole group. In general I strongly approve of having CAA checks for all forms of issuance. However, this version of CAA (implemented as a new second layer hidden service descriptor) requires the CA to operate a Tor Client in order to inspect it. This (in my opinion) completely obviates the benefits of the proposed "onion-csr-01" method (equivalent to the current BRs Appendix B 2.b. method) -- namely that the whole validation process can be conducted without the CA operating a Tor client to reach out to the onion service in question. I believe that requiring CAA checks *of this form* will prevent adoption / implementation by CAs, and thus defeats the purpose of the draft.
Aaron On Thu, Jul 27, 2023 at 10:40 AM Tim Hollebeek via Servercert-wg < [email protected]> wrote: > Hello Q, > > > > My opinion is that this would be a great discussion to have at an upcoming > meeting of the Validation Subcommittee. > > > > -Tim > > > > *From:* Servercert-wg <[email protected]> *On Behalf Of *Dean > Coclin via Servercert-wg > *Sent:* Wednesday, July 26, 2023 7:22 PM > *To:* [email protected] > *Subject:* [Servercert-wg] Message > > > > One of the new Interested Party members tried to post to the group but it > bounced. I’ve asked Wayne to look at it but in the meantime, I’m reposting > the message for him: > > > > I'd like to start some discussion on the WG's opinions of CAA for Tor > hidden services, using my draft-ietf-acme-onion > <https://url.avanan.click/v2/___https:/e.as207960.net/w4bdyj/cNl2iFrs___.YXAzOmRpZ2ljZXJ0OmE6bzpkYjQ2NzJkNWY3YjUxMTJiZmQxNjNmYTk2NTBhZjhkMzo2OjQyMTU6MDk0MWNmODEyMzRiODQ1NDJmNDQ3ZDM3ZGVlYTJlMTllMjg2YTJmMTc2NWMwODE1ZmY4ODhiNGFlOGMzZTEwZjpoOkY> > and my Tor Spec proposal 343-rend-caa > <https://url.avanan.click/v2/___https:/e.as207960.net/w4bdyj/YAae97pn___.YXAzOmRpZ2ljZXJ0OmE6bzpkYjQ2NzJkNWY3YjUxMTJiZmQxNjNmYTk2NTBhZjhkMzo2OjBmOGU6NjBhMWYzOTE5ZDVkYmQ1Y2EzZjJkZDA5NTVmZDA1ZjZmNzY2NjdlOGFhOTk2NmUxMTU4M2I1MGZlZWMwNWQwYjpoOkY>, > as part of the ACME for Onions > <https://url.avanan.click/v2/___https:/e.as207960.net/w4bdyj/wi4TBMXN___.YXAzOmRpZ2ljZXJ0OmE6bzpkYjQ2NzJkNWY3YjUxMTJiZmQxNjNmYTk2NTBhZjhkMzo2OjQ4NDU6ZjExMjlmOGQzNWZjZjNhZGNjMDhlZWVhZDRlNmQyODBhMTAzOTJiMjUzMWExYjM1OGEzZTJmODAyZDFlMGQzMzpoOkY> > project. > > > > Specifically: > > - is this something the WG likes? > > - should CAA checking be required for Tor? > > > > > > Thanks, > > Q Misell > > > > > > > > > > > > > _______________________________________________ > Servercert-wg mailing list > [email protected] > https://lists.cabforum.org/mailman/listinfo/servercert-wg >
_______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
