On 20 June 2017 at 22:08, Salz, Rich <[email protected]> wrote: >> Where a CAA property has an "account-uri" parameter, a CA MUST NOT >> consider that property to authorize issuance in the context of a given >> certificate issuance request unless the CA recognises the URI >> specified as identifying the account making that request. > > I like this. Martin and Russ, your views?
It's an improvement, certainly. For brevity I would say: "unless the account URI corresponds to the account making that request." There are many specification pitfalls here regarding how you might compare URIs, but this neatly avoids those and leaves the authority for that space (the CA) in the position where it performs the comparison. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
