On Sat, Jun 18, 2016 at 01:53:20PM +0800, Aaron Zauner wrote:
> RFC6844 defines a method by which domain owners can limit the CA allowed
> to issue certificates for their domain.
Critically, this signalling channel is *exclusively* between the
domain and any CA that might consider issuing a certificate for
the domain. It MUST NOT be used by relying parties.
Unfortunately, the CA/B forum voted to make support for this
optional, so this standard is stillborn.
> As far as I can tell this isn't widely implemented in DNS Daemons (KnotDNS
> and Bind9 [urgh]) do have support though. Is this something that might
> make sense including in the MTA-STS document?
See above, CAA does not apply to relying parties, and has no
relevance to STS.
> i.e. one could effectively restrict validation to a certain CA (say for
> example Let's Encrypt).
One could attempt to ask other CAs to not issue certificate for
one's domain. In practice, this is mostly useless.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
