Re: [Acme] ACME draft is now in WGLC.
On Mon, Mar 13, 2017 at 02:00:40PM -0700, Jacob Hoffman-Andrews wrote: > > by CA/B forum as a "recommendation", which meant that the constraint > > was meaningless. Rumour has it that CAA will soon be a requirement, > > so I've now published CAA records. The CAA check is/was easy to > > make and crippling it by not making it a requirement was IMNSHO a > > mistake. > > I think by this you mean that the CA/Browser Forum should have mandated > CAA support in its Baseline Requirements, back when it first adopted CAA > as "recommended." Is that right? Yes. > I think the analogous goal here is that you'd like the CA/Browser Forum > to mandate use of a DNSSEC-validating recursive resolver during > DNS-based validation procedures. No, dragging the CA/B forum into this discussion (by way of analogy) was perhaps a mistake. I am trying to say is that wiggle room to not do DNSSEC ACME serves no purpose. ACME should *require* DNSSEC resolvers in *ACME conformant CAs. > That's great! However, I don't think mandating use of a DNSSEC-validating > resolver in the ACME spec will achieve that goal, since the CA/Browser > Forum is not planning to mandate use of the ACME spec. Convincing non-ACME CAs that issue DV certs do use DNSSEC for DNS challenges is a separate issue (windmill for my Quixotic battles) and is out of scope for this group. So one thing at a time, I urge the ACME WG to require DNSSEC for DNS challenges, so that security of DNSSEC signed domains is not downgraded by ACME CAs negligently running security-oblivious resolvers. -- Viktor. ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] ACME draft is now in WGLC.
As Rich said, the CA/Browser Forum has indeed voted to mandate CAA. Hooray! On 03/13/2017 01:14 PM, Viktor Dukhovni wrote: > I've had complete disinterest in CAA which initially was accepted > by CA/B forum as a "recommendation", which meant that the constraint > was meaningless. Rumour has it that CAA will soon be a requirement, > so I've now published CAA records. The CAA check is/was easy to > make and crippling it by not making it a requirement was IMNSHO a > mistake. I think by this you mean that the CA/Browser Forum should have mandated CAA support in its Baseline Requirements, back when it first adopted CAA as "recommended." Is that right? I think the analogous goal here is that you'd like the CA/Browser Forum to mandate use of a DNSSEC-validating recursive resolver during DNS-based validation procedures. That's great! However, I don't think mandating use of a DNSSEC-validating resolver in the ACME spec will achieve that goal, since the CA/Browser Forum is not planning to mandate use of the ACME spec. I realize that the CA/Browser Forum seems relatively opaque and hard to participate in, but if you check their bylaws it is possible for any member of the public (not just a CA or a Browser) to directly participate in the mailing list by submitting a simple form. I'd encourage you to get involved! ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
[Acme] Fwd: Inconsistent abbreviations for resource names
I'm resending this message as there were no responses and nothing changed. -- Forwarded message -- Morning, the current draft contains a few inconsistencies in the resource naming. 1) https://ietf-wg-acme.github.io/acme/#rfc.section.6.1 mentions "revoke-certificate", while it's called "revoke-cert" in the rest of the document. 2) There's "new-account", but the account resource is called "acct", I think it should be "account" everywhere. We don't gain anything by saving a few keystrokes / bytes there. Maybe we should then also rename "authz" to "authorization" and "cert" to "certificate" everywhere. Regards, Niklas ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] ACME draft is now in WGLC.
> Rumour has it that CAA will soon be a requirement It just passed their balloting so CA/B forum now requires it. See the LAMPS WG thread(s) on CAA erratum 4515. > The CAA check is/was easy to make and crippling it > by not making it a requirement was IMNSHO a mistake. ... > I urge the WG to reconsider. Does anyone else agree with Viktor? Please speak up on the list this week if so. ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme