CAA Record Extensions for Account URI and ACME Method Binding
Draft of message to be sent after approval:
From: The IESG <firstname.lastname@example.org> To: IETF-Announce <email@example.com> Cc: firstname.lastname@example.org, The IESG <email@example.com>, Daniel McCarney <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com Subject: Protocol Action: 'CAA Record Extensions for Account URI and ACME Method Binding' to Proposed Standard (draft-ietf-acme-caa-09.txt) The IESG has approved the following document: - 'CAA Record Extensions for Account URI and ACME Method Binding' (draft-ietf-acme-caa-09.txt) as Proposed Standard This document is the product of the Automated Certificate Management Environment Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-acme-caa/
Technical Summary The CAA DNS record allows a domain to communicate issuance policy to CAs, but only allows a domain to define policy with CA-level granularity. However, the CAA specification also provides facilities for extension to admit more granular, CA-specific policy. This specification defines two such parameters, one allowing specific accounts of a CA to be identified by URI and one allowing specific methods of domain control validation as defined by the ACME protocol to be required. Working Group Summary Earlier drafts used a hyphen character in the "validationmethods" and "accounturi" parameters that was incompatible with the grammar defined in RFC 6844. This has been addressed in the latest draft by removing the hyphen character. Early discussion of the draft addressed issues raised by the community with regards to the security considerations section, and the handling of non-ACME challenge methods. Overall consensus was reached within the WG process without any rough areas and no controversial topics remain unaddressed. Document Quality Let's Encrypt, a large high-volume production ACME based CA, has fully implemented the ACME-CAA draft in a testing environment (not yet promoted to production usage). Let's Encrypt has committed to promoting ACME-CAA features to production in the near future. The overall document quality is high. Developing an implementation based on the specification text is reasonable. Personnel The document shepard is Daniel McCarney. The responsible area director is Roman Danyliw.