Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding
draft-ietf-acme-caa-10
Technical Summary
The CAA DNS record allows a domain to communicate issuance policy to
CAs, but only allows a domain to define policy with CA-level
granularity. However, the CAA specification also provides facilities
for extension to admit more granular, CA-specific policy. This
specification defines two such parameters, one allowing specific
accounts of a CA to be identified by URI and one allowing specific
methods of domain control validation as defined by the ACME protocol
to be required.
Working Group Summary
Earlier drafts used a hyphen character in the "validationmethods" and
"accounturi" parameters that was incompatible with the grammar defined in RFC
6844. This has been addressed in the latest draft by removing the hyphen
character.
Early discussion of the draft addressed issues raised by the community with
regards to the security considerations section, and the handling of non-ACME
challenge methods. Overall consensus was reached within the WG process without
any rough areas and no controversial topics remain unaddressed.
Document Quality
Let's Encrypt, a large high-volume production ACME based CA, has fully
implemented the ACME-CAA draft in a testing environment (not yet promoted to
production usage). Let's Encrypt has committed to promoting ACME-CAA features
to production in the near future.
The overall document quality is high. Developing an implementation based on the
specification text is reasonable.
Personnel
The document shepard is Daniel McCarney.
The responsible area director is Roman Danyliw.