The second paragraph is hard for me to parse. Let me try to reword it.

The presence of this parameter in a property further constrains certificate issuance for that property. Whenever the parameter is included in a property, a CA MUST NOT use any validation method unless the method is explicitly listed.


Since the consensus seems to be to change to "validation-methods",
here's the wording I propose for the validation-methods section:

   Extensions to the CAA Record: validation-methods Parameter

   A CAA parameter "validation-methods" is also defined for the "issue" and
   "issuewild" properties. The value of this parameter, if specified, MUST
   be a comma-separated string of challenge method names. Each challenge
   method name MUST be either an ACME challenge method name or a
   CA-assigned non-ACME challenge method name.

   The presence of this parameter constrains the property to which it is
   attached. A CA MUST only consider a property with the
   "validation-methods" parameter to authorize issuance where the name of
   the challenge method being used is one of the names listed in the
   comma-separated list.

   Where a CA supports both the "validation-methods" parameter and one or
   more non-ACME challenge methods, it MUST assign identifiers to those
   methods. These identifiers MUST be chosen to minimise the likelihood of
   conflict with any ACME challenge method name; it is RECOMMENDED that, at
   the very least, CAs avoid assigning identifiers ending in a hyphen and
   two digits ("-00").

   A CA SHOULD assign individual identifiers to each of its non-ACME
   challenge methods. However, if it is unable or unwilling to do so, it
   MAY use the fallback identifier of "non-acme" to identify such methods.


Subject: Digest Footer

Acme mailing list


End of Acme Digest, Vol 34, Issue 1

Acme mailing list

Reply via email to