[Acme] Use of CAA in ACME

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 03 February 2016 19:17 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB18B1B2B7C for <acme@ietfa.amsl.com>; Wed, 3 Feb 2016 11:17:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8zXnH_0rr-xU for <acme@ietfa.amsl.com>; Wed, 3 Feb 2016 11:17:26 -0800 (PST)
Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20CD21B2B78 for <acme@ietf.org>; Wed, 3 Feb 2016 11:17:26 -0800 (PST)
Received: by mail-lf0-x233.google.com with SMTP id l143so21099608lfe.2 for <acme@ietf.org>; Wed, 03 Feb 2016 11:17:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=6Vz391TIHaHOJgbsoM/GxdOyNIX4OlgdQHVI5JAtZns=; b=Oe8TwM+sWJcpHIdR+41E2l37DWoNosm0Bx+tT/d9px6u6yBgAUoU3xfjFVItrsa+Z7 ZSY5c0jLGgihLe2ZMHYA5Vz42c7Gs5WNFc8E/AGTge8TA+KMJDS5uZGYGAku6+ovtUbo H0A8GE32CHOegsOh3fCIsp8f5YkXMlYz6i8hSt4Rj8q/QTrD/xJnDMurE2gK6Bp5/cRP 1D4JOHrzSn+PcIZdI6yfYl5iKTSQsDT4TBg2KXsYVOikaiXMKnPalbNiyodV2LgedSHn cZlR5GZnOATcPwgGICN7L3a8kFLGM3QTbe4yBGnikLWPNkpA2WLvidsZCt+FIHhRlJtt Qp6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:date:message-id:subject:from :to:content-type; bh=6Vz391TIHaHOJgbsoM/GxdOyNIX4OlgdQHVI5JAtZns=; b=T28eg5iuI9fQKYalpS8FK2y2JAra8spgSTtkuv2URkeGYeqLKSnQ//bkKo3zdvBJ4g osK5cipA4cPmldRL7OyOQv+7dY572nKwWdyZbGAvuyuin29Uf8avrjbsXkM9IW7H2Ike uLDrr+EZKLMJUL6TqdbTtqlPNLHPXdKBtd0+rKuKpAFBI0kpBduRBjLWsC2InncEK/i5 DRyoo6uWHDJvhou5NulO6vK4L5up5kCb1/GJ50EVwHtuuO/+o6/S52BIm4Zygh2pfugw 3RLGZHG53v4JsoumsGpREAaj0FFydLI+Ne8gqoRiLjh3lVZpNxy+l2Qs4PGj034y2hE1 Wm1w==
X-Gm-Message-State: AG10YORsGXDNHB6wy49FT5YUjG5dVVpawSjKucCTIpfZaSyoImXiZvOmLkvZEIpqSBUyXhcHlpPN/1MjyvpTOw==
MIME-Version: 1.0
X-Received: by 10.25.156.198 with SMTP id f189mr1648266lfe.70.1454527044336; Wed, 03 Feb 2016 11:17:24 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.49.80 with HTTP; Wed, 3 Feb 2016 11:17:24 -0800 (PST)
Date: Wed, 3 Feb 2016 14:17:24 -0500
X-Google-Sender-Auth: BST2RtN7TOI0aeNfGFx8Qtb9LjA
Message-ID: <CAMm+LwjPUSWeFAXYdrt0RCHfHvgCuzn54iSgF+-fSKsh1QzjnA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: "acme@ietf.org" <acme@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/HfOcZyLAEFwdK1v7LdRpqN3kiX4>
Subject: [Acme] Use of CAA in ACME
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2016 19:17:27 -0000

I would like to propose that we use RFC6844 to allow clients to
discover the CA to direct requests to.

A DNS name MAY have multiple CAA records. Each record has a tag
specifying the purpose and a text field. So we would add in a text
field for ACME.

The simplest version would be something of the form:

example.com CAA 0 acme "comodo.com"


The typical enterprise case has the request going to an LRA because
that is where the account key pair is held and that is what did the
validation against the CA.

I am thinking through that part.