On 26 June 2017 at 02:56, Yaron Sheffer <[email protected]> wrote: > I'm not following you. In Sec. 3.4 we're saying that the (periodically > rolling) certificate is always available on the same URL, the "certificate > endpoint". Since the content available at that URL changes from time to > time, we wanted to indicate its end-of-validity with an HTTP header. If > "Expires" is not the right header, is there a better way to do it?
I was talking about using the order. The creation of the order and the representation that you receive at that point will include the time. And that's enough. That info can be conveyed along with the URL for the certificate to endpoints, if they care. > But people are not obligated to implement IETF protocols. OTOH some > organizations *are* bound by CA/B Forum rules. And this section is > predicated on the assumption at all "reasonable" CAs do honor CAA records, > otherwise a rogue CDN employee can create a certificate for the domain on a > non-ACME CA, if they only require a proof of ownership of the web server. Just say what the protocol does and avoid all that muck. You lose generality, currency, correctness, and it's just more work to talk about CABF stuff. The web isn't the only user of this stuff and I have started to see drafts lose sight of that. > Basic CAA, prior to Hugo's draft, only says which CA you are trusting. But > that CA can still choose the spoofable http-01 authorization - spoofable if > you are the CDN and so you control the web pages. My understanding is that in this model you *need* CAA with the extension. As you say CAA doesn't cut it. The text as it stands basically implies that, but it also says a bunch of other stuff, which obfuscates that important message. So say exactly that: MUST use CAA with the acme extension and that needs to be immutable so that the untrusted thingamy can't just rewrite the policy. That's all I was asking for. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
