[Acme] I-D Action: draft-ietf-acme-service-provider-00.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Automated Certificate Management Environment of the IETF. Title : ACME Identifiers and Challenges for VoIP Service Providers Authors : Mary Barnes Chris Wendt Filename: draft-ietf-acme-service-provider-00.txt Pages : 8 Date: 2017-06-20 Abstract: This document specifies identifiers and challenges required to enable the Automated Certificate Management Environment (ACME) to issue certificates for VoIP service providers to support Secure Telephony Identity (STI). The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-acme-service-provider/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-acme-service-provider-00 https://datatracker.ietf.org/doc/html/draft-ietf-acme-service-provider-00 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] Before entering WGLC ...
> This might be easier to read, though is actually slightly longer: > Where a CAA property has an "account-uri" parameter, a CA MUST NOT > consider that property to authorize issuance in the context of a given > certificate issuance request unless the CA recognises the URI > specified as identifying the account making that request. I like this. Martin and Russ, your views? ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] Before entering WGLC ...
> A CA MAY proceed with issuance if a CAA record is present whose value matches > the account-uri parameter of the account making the request. > If no CAA records have such a match, then the CA MUST NOT proceed with > issuance. This neglects to include the other criteria for validation of a CAA record, however; the wording here suggests this is the only aspect of a CAA record that needs to be validated. If you want to describe a sufficient condition, rather than a necessary one, it stands to reason you'd have to copy and paste large amounts of language from the CAA specification into the specification. Currently we have A CA MUST only consider a property with an "account-uri" parameter to authorize issuance where the URI specified is an URI that the CA recognises as identifying the account making a certificate issuance request. We could also negate it, which might actually be better - the above is slightly more susceptible to be confused for a statement of a sufficient condition: A CA MUST NOT consider a property with an "account-uri" parameter to authorize issuance unless the URI specified is an URI that the CA recognises as identifying the account making a certificate issuance request. This might be easier to read, though is actually slightly longer: Where a CAA property has an "account-uri" parameter, a CA MUST NOT consider that property to authorize issuance in the context of a given certificate issuance request unless the CA recognises the URI specified as identifying the account making that request. ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme