Hello, This development is exciting work in regard to allowing domain owners to limit which validation methods they want to allow to be used for their domains.
Unfortunately, the validation-methods extension is not compliant with RFC 6844 (the CAA RFC), as parameter tags cannot contain hyphens. This was originally pointed out on this mailing list in January (https://www.ietf.org/mail-archive/web/acme/current/msg02506.html). I proposed a fix to this issue (as well as fixing an ambiguity in the ABNF grammar in regard to parameter delimiters) on the LAMPS WG mailing list a few months ago (https://www.ietf.org/mail-archive/web/spasm/current/msg01144.html), but this change has not yet been incorporated into a draft of RFC 6844-bis. Since RFC 6844 dictates that parameters have meaning specific to the issuer (from section 5.1: “The semantics of issuer-parameters are determined by the issuer alone”), I don’t believe that issuing certificates for domains whose CAA record sets contain non-conformant parameter syntax would constitute mis-issuance. However, it may present difficulties in regard to tooling/automation that expect all parameter tags to follow RFC 6844. Thanks, Corey Bonnell Senior Software Engineer Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Acme <[email protected]> on behalf of Daniel McCarney <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Wednesday, May 30, 2018 at 1:57 PM To: Hugo Landau <[email protected]>, IETF ACME <[email protected]> Subject: [Acme] Let's Encrypt ACME-CAA validation-methods support Hi folks, I'm happy to share that Let's Encrypt has deployed support for Hugo Landau's ACME-CAA "validation-methods" CAA record extension in the staging environment[0]. Community feedback/review would be most appreciated. You can find more information in the associated API announcement[1]. Thanks, - Daniel / cpu [0] - https://letsencrypt.org/docs/staging-environment/<https://scanmail.trustwave.com/?c=4062&d=k-aO27uBtMDYKMre1tiXIgJYkioPrIC1cToq5JsZWQ&s=5&u=https%3a%2f%2fletsencrypt%2eorg%2fdocs%2fstaging-environment%2f> [1] - https://community.letsencrypt.org/t/acme-caa-validation-methods-support/63125<https://scanmail.trustwave.com/?c=4062&d=k-aO27uBtMDYKMre1tiXIgJYkioPrIC1cWBx5cxLDw&s=5&u=https%3a%2f%2fcommunity%2eletsencrypt%2eorg%2ft%2facme-caa-validation-methods-support%2f63125>
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
