I'd like to propose the following addition to the specification.
Any comments?
CAA Record Use
--------------
An ACME server SHOULD support CAA DNS records as described in
{{RFC6844}}. The server SHOULD look for such records when issuing
authorizations, as opposed to when issuing certificates.
CAA is designed to be extensible beyond mere CA-level authorization. It
is RECOMMENDED that ACME servers support the following account key
parameter to allow issuance to be restricted to the bearer of a given
account key.
A CAA record parameter "acme-ak" is defined. The value of this parameter
MUST be the base64url encoding of the JWK thumbprint of the account key.
If an ACME server finds multiple CAA records pertaining to it (i.e.,
having property 'issue' and a domain that the ACME server recognises as
its own) with different "acme-ak" parameters, at least one of the
specified key thumbprints must match the requesting account key. A
record without an "acme-ak" parameter matches any account key. A record
with an invalid "acme-ak" parameter or multiple "acme-ak" parameters
(i.e. not 44 characters long and a valid base64url string) or multiple
"acme-ak" parameters is unsatisfiable.
The following shows an example configuration which nominates two account
keys as authorized to issue certificates for the domain example.com.
Issuance is restricted to the CA "example.net".
example.com. IN CAA 0 issue "example.net;
acme-ak=UKNmi2whPhuAhDvAxGa_aOZgPzyJDhhsrt-8Bt2fWh0="
example.com. IN CAA 0 issue "example.net;
acme-ak=rlp4OZPOR9MKejkOdZAKQ5Tfwce6llawmrDIh-BtNJ0="
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
