> On Jun 18, 2016, at 4:35 PM, Aaron Zauner <[email protected]> wrote:
>
>>>
>>> i.e. one could effectively restrict validation to a certain CA (say for
>>> example Let's Encrypt).
>>
>> One could attempt to ask other CAs to not issue certificate for
>> one's domain. In practice, this is mostly useless.
>
> How would that work? You mail each CA not to issue for your domain and expect
> that they'll honor your request (also intermediates)? I'm not sure where
> you're going with that. It doesn't seem like anything that would actually
> work in the real world and the threat model is just insane.
Sorry, I was a bit too concise, by "ask other CAs" I meant "publish a CAA"
RRset, and in my view this is pointless, because most CAs don't support the
optional CAA standard.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
