Telechat Review of draft-ietf-acme-caa-08
review-ietf-acme-caa-08-secdir-telechat-orman-2019-06-22-00

	                Security review of
     CAA Record Extensions for Account URI and ACME Method Binding
                         draft-ietf-acme-caa-08


Do not be alarmed.  I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG.  These comments were written primarily
for the benefit of the security area directors.  Document editors and
WG chairs should treat these comments just like any other last call
comments.

The subject of this document is DNS records describing certificate
issuance policies and how the policies can be made more granular
through the use of two new parameters: accounturi and
validationmethods.  The first parameter designates particular accounts
that can act as CAs for a domain, the second parameter names the
methods that can be used for validation.

This version is laudable in its amplification of the security
considerations section.

Section 5.6 discusses the case in which the CA does not use DNSSEC
and is vulnerable to MITM attacks.  The final paragraph says that
the new parameters are still effective in this case.  I do not think
that it is the intent of the authors to support the idea of a CA
not using DNSSEC, but the text has a positive slant to it, which
might be interpreted as a recommendation.  Some slight wordsmithing
would be helpful.

As nearly as I can tell, there are no security problems.

The phrase "as such" is used 4 times in section 5.  It has no effect
on the meaning of the sentence, and I recommend universal deletion.


Hilarie