Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: rdd@cert.org, The IESG <iesg@ietf.org>, Daniel McCarney <cpu@letsencrypt.org>, acme@ietf.org, cpu@letsencrypt.org, draft-ietf-acme-caa@ietf.org, acme-chairs@ietf.org, rfc-editor@rfc-editor.org
Subject: Protocol Action: 'CAA Record Extensions for Account URI and ACME Method Binding' to Proposed Standard (draft-ietf-acme-caa-09.txt)

The IESG has approved the following document:
- 'CAA Record Extensions for Account URI and ACME Method Binding'
  (draft-ietf-acme-caa-09.txt) as Proposed Standard

This document is the product of the Automated Certificate Management
Environment Working Group.

The IESG contact persons are Benjamin Kaduk and Roman Danyliw.

A URL of this Internet Draft is:

Technical Summary

The CAA DNS record allows a domain to communicate issuance policy to
CAs, but only allows a domain to define policy with CA-level
granularity.  However, the CAA specification also provides facilities
for extension to admit more granular, CA-specific policy.  This
specification defines two such parameters, one allowing specific
accounts of a CA to be identified by URI and one allowing specific
methods of domain control validation as defined by the ACME protocol
to be required.

Working Group Summary

Earlier drafts used a hyphen character in the "validationmethods" and
"accounturi" parameters that was incompatible with the grammar defined in RFC
6844. This has been addressed in the latest draft by removing the hyphen

Early discussion of the draft addressed issues raised by the community with
regards to the security considerations section, and the handling of non-ACME
challenge methods. Overall consensus was reached within the WG process without
any rough areas and no controversial topics remain unaddressed.

Document Quality

Let's Encrypt, a large high-volume production ACME based CA, has fully
implemented the ACME-CAA draft in a testing environment (not yet promoted to
production usage). Let's Encrypt has committed to promoting ACME-CAA features
to production in the near future.

The overall document quality is high. Developing an implementation based on the
specification text is reasonable.


The document shepard is Daniel McCarney. 

The responsible area director is Roman Danyliw.