On Thu, Oct 10, 2019 at 5:22 AM Yaron Sheffer <[email protected]> wrote:
> I am wondering though about this sentence: A CA can "also offer additional > validation methods/issuance flows which also use the "dns-01" method." > Doesn't specifying "dns-01" restrict the CA to one particular > validation/authorization flow? > No. There's a gap in the assumption here, which is that the CA MUST support draft-ietf-acme-caa, which is not specified, and were it specified, runs into the set of issues covered in https://tools.ietf.org/html/draft-ietf-acme-caa-10#section-5 However, setting that aside, the dns-01 validation method alone doesn't restrict the issuance pattern to just being STAR, which is the assertion "To restrict certificate delegation only to the protocol defined here:"
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
