Re: [Acme] ACME draft is now in WGLC -- require CAA ?

[Hugo Landau]

> Have you seen the thread on the LAMPS (SPASM) mailing list, titled
> "CAA Erratum 4515"?  That raises some technical issues, which make me
> (as an individual at least) think it's premature.
I wasn't aware of this.

However, as far as I'm aware mandatory CAA checking is now a done deal:
https://cabforum.org/pipermail/public/2017-March/009988.html

I'd therefore argue it isn't premature, a) because CAs are going to have
to implement it by September anyway, b) because it's already used in
production (Let's Encrypt) successfully.

In light of the CAB Forum resolution, the additional utility of adding a
normative requirement to the ACME RFC is marginal, so I'm no longer
terribly bothered either way, though still ultimately in favour.

___
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

Re: [Acme] ACME draft is now in WGLC -- require CAA ?

[Salz, Rich]

 
> I'd agree that the CAA check should be made mandatory. At least, I can't
> think of any good reason why it shouldn't be.

Have you seen the thread on the LAMPS (SPASM) mailing list, titled "CAA Erratum 
4515"?  That raises some technical issues, which make me (as an individual at 
least) think it's premature.
 
> I'd also agree that the use of a DNSSEC-validating resolver accessed via a
> trusted network (preferably localhost) should be mandatory.

This is a separate issue, please start a separate thread.

___
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme