> This might be easier to read, though is actually slightly longer:
> Where a CAA property has an "account-uri" parameter, a CA MUST NOT
> consider that property to authorize issuance in the context of a given
> certificate issuance request unless the CA recognises the URI
> specified as
> A CA MAY proceed with issuance if a CAA record is present whose value matches
> the account-uri parameter of the account making the request.
> If no CAA records have such a match, then the CA MUST NOT proceed with
> issuance.
This neglects to include the other criteria for validation of a CAA
How about this:
A CA MAY proceed with issuance if a CAA record is present whose value matches
the account-uri parameter of the account making the request.
If no CAA records have such a match, then the CA MUST NOT proceed with issuance.
___
Acme
> Like Russ, I find the statement very difficult to read. Would
> inverting it be better?
>
> > A CA MUST NOT issue authorize issuance if a CAA record is present unless
> > the "account-uri" parameter identifies the account making a certificate
> > issuance request.
See previous reply.
Like Russ, I find the statement very difficult to read. Would
inverting it be better?
> A CA MUST NOT issue authorize issuance if a CAA record is present unless the
> "account-uri" parameter identifies the account making a certificate issuance
> request.
On 19 June 2017 at 00:16, Salz, Rich
Thank you. For me, it addresses the issue. Russ, are you ok?
___
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
> > . . . A CA MUST only consider a property with an "account-uri"
> > parameter to authorize issuance where the URI specified is an URI
> > that the CA recognises as identifying the account making a
> > certificate issuance request.
> >
> > > This is not a [crisp] MUST statement. I
> Hugo, the CAA document is in WGLC. Russ raised the following issue on some
> text in section 2:
>
> . . . A CA MUST only consider a property with an "account-uri"
> parameter to authorize issuance where the URI specified is an URI
> that the CA recognises as identifying the account
Hugo, the CAA document is in WGLC. Russ raised the following issue on some
text in section 2:
. . . A CA MUST only consider a property with an "account-uri"
parameter to authorize issuance where the URI specified is an URI
that the CA recognises as identifying the account making a