On 24 June 2017 at 02:24, Yaron Sheffer <yaronf.i...@gmail.com> wrote: >>> Expires is to ensure that the certificate is not >>> cached beyond the point where a newer certificate will be issued. You >>> should remove this text. >> >> OK > > Is there some other common header to denote that the value of a URL is only > good for X time?
Isn't enough to rely on the server echoing your parameters? (Another reason to use absolute values for the end of the recurring interval.) >>> Don't mention time-sensitive policy actions by the CA/B Forum. >> >> Makes sense. > > I disagree. CA/B forum decisions (unlike IETF standards) are mandatory for > some parties to follow and so can be relied upon by the DNO. This is a protocol. What CABF do with it is entirely up to them. They aren't the only ones creating policy that might affect someone using this protocol. >>> Can't you simply ensure that the CDN can't modify the CAA record? >> >> This is the minimum we could say. At this point, I think we are trying >> to explore a bit what other mitigations can be put in place. > > Unfortunately this is insufficient, because in the case of CDN's, some of > the authorization methods are subject to spoofing. If the CAA record exists, then spoofing won't result in the certificate being issued, so what is the problem? _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme