On Sat, Jun 17, 2017 at 11:03:32PM +0000, Salz, Rich wrote:
> > > . . . A CA MUST only consider a property with an "account-uri"
> > > parameter to authorize issuance where the URI specified is an URI
> > > that the CA recognises as identifying the account making a
> > > certificate issuance request.
> > >
> > > > This is not a [crisp] MUST statement. I think it is trying to say two
> > > > things
> > when the "account-uri" is present:
> > >
> > > > (1) the CA MUST NOT issue a certificate containing the domain name that
> > contains the CAA Resource Record if it does not recognize the account
> > referenced by the URI.
> > >
> > > > (2) the CA MUST use the account referenced by the URI in the
> > authorization process for a certificate request for the domain containing
> > the
> > CAA Resource Record.
> > >
> > > > If this is correct, please separate these two requirements. If it is
> > > > not
> > correct, please explain the text.
> > >
> > > Can you post an update next week? If not, would it help to add another
> > author to do so? I would like to move this forward to the IESG soon.
> > Please
> > respond by early next week.
> >
> > I don't understand this issue. The wording is clear.
>
> It's understandable, yes. Does Russ's proposal have the same meaning? I'm
> not sure. That means, I think that the original wording could stand a bit of
> clarification.
(2) is weird. It talks about 'using an account', as though a CAA record
can dictate what account is to be used. It almost suggests something
like this:
- I register account A and issue for example.com and setup ACME-CAA
for that account
- An unrelated party creates account B and requests issuance for
example.com without control over that domain; the CA identifies
the account specified in ACME-CAA, finds it authorised to issue
for example.com and issues under it (!!!)
Moreover it talks about how the CA MUST NOT issue a certificate under
certain circumstances. But an individual CAA record never prevents
issuance, per se (although the presence of any CAA records creates the
requirement that at least one pass); at the worst it merely fails to
authorize issuance in a particular case (but other adjacent CAA records
might).
Because of this I think it's necessary to keep the wording in terms of
whether a CAA property authorizes issuance, rather than an enumeration
of cases in which issuance MUST NOT occur. That's simply not possible
when speaking about a single CAA record without regard to the other CAA
records which might be adjacent to it.
I'm open to clearer wording but I can't see any better way to express
this accurately than talking about whether a given CAA property
authorizes issuance.
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
