> A CA MAY proceed with issuance if a CAA record is present whose value matches > the account-uri parameter of the account making the request. > If no CAA records have such a match, then the CA MUST NOT proceed with > issuance. This neglects to include the other criteria for validation of a CAA record, however; the wording here suggests this is the only aspect of a CAA record that needs to be validated. If you want to describe a sufficient condition, rather than a necessary one, it stands to reason you'd have to copy and paste large amounts of language from the CAA specification into the specification.
Currently we have A CA MUST only consider a property with an "account-uri" parameter to authorize issuance where the URI specified is an URI that the CA recognises as identifying the account making a certificate issuance request. We could also negate it, which might actually be better - the above is slightly more susceptible to be confused for a statement of a sufficient condition: A CA MUST NOT consider a property with an "account-uri" parameter to authorize issuance unless the URI specified is an URI that the CA recognises as identifying the account making a certificate issuance request. This might be easier to read, though is actually slightly longer: Where a CAA property has an "account-uri" parameter, a CA MUST NOT consider that property to authorize issuance in the context of a given certificate issuance request unless the CA recognises the URI specified as identifying the account making that request. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
