This seems like a fine idea. You would need either a way to map from domain names to ACME server URLs, or a new CAA record type to hold the URL. I would honestly kind of prefer the former, to avoid confusion.
I would also like to have a CAA record type for authorizing validation methods, so that a domain holder can request that CAs only use certain validation methods, regardless of what the ACME client requests. Both of these ideas are good targets for a separate spec, since it's pretty well decoupled from ACME itself. On Wed, Feb 3, 2016 at 2:17 PM, Phillip Hallam-Baker <[email protected]> wrote: > I would like to propose that we use RFC6844 to allow clients to > discover the CA to direct requests to. > > A DNS name MAY have multiple CAA records. Each record has a tag > specifying the purpose and a text field. So we would add in a text > field for ACME. > > The simplest version would be something of the form: > > example.com CAA 0 acme "comodo.com" > > > The typical enterprise case has the request going to an LRA because > that is where the account key pair is held and that is what did the > validation against the CA. > > I am thinking through that part. > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
