As Rich said, the CA/Browser Forum has indeed voted to mandate CAA. Hooray!
On 03/13/2017 01:14 PM, Viktor Dukhovni wrote: > I've had complete disinterest in CAA which initially was accepted > by CA/B forum as a "recommendation", which meant that the constraint > was meaningless. Rumour has it that CAA will soon be a requirement, > so I've now published CAA records. The CAA check is/was easy to > make and crippling it by not making it a requirement was IMNSHO a > mistake. I think by this you mean that the CA/Browser Forum should have mandated CAA support in its Baseline Requirements, back when it first adopted CAA as "recommended." Is that right? I think the analogous goal here is that you'd like the CA/Browser Forum to mandate use of a DNSSEC-validating recursive resolver during DNS-based validation procedures. That's great! However, I don't think mandating use of a DNSSEC-validating resolver in the ACME spec will achieve that goal, since the CA/Browser Forum is not planning to mandate use of the ACME spec. I realize that the CA/Browser Forum seems relatively opaque and hard to participate in, but if you check their bylaws it is possible for any member of the public (not just a CA or a Browser) to directly participate in the mailing list by submitting a simple form. I'd encourage you to get involved! _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
