> > . . . A CA MUST only consider a property with an "account-uri" > > parameter to authorize issuance where the URI specified is an URI > > that the CA recognises as identifying the account making a > > certificate issuance request. > > > > > This is not a [crisp] MUST statement. I think it is trying to say two > > > things > when the "account-uri" is present: > > > > > (1) the CA MUST NOT issue a certificate containing the domain name that > contains the CAA Resource Record if it does not recognize the account > referenced by the URI. > > > > > (2) the CA MUST use the account referenced by the URI in the > authorization process for a certificate request for the domain containing the > CAA Resource Record. > > > > > If this is correct, please separate these two requirements. If it is not > correct, please explain the text. > > > > Can you post an update next week? If not, would it help to add another > author to do so? I would like to move this forward to the IESG soon. Please > respond by early next week. > > I don't understand this issue. The wording is clear.
It's understandable, yes. Does Russ's proposal have the same meaning? I'm not sure. That means, I think that the original wording could stand a bit of clarification. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
