Re: [Acme] ACME draft is now in WGLC.
Jacob Hoffman-Andrews <jsha@eff.org> Mon, 13 March 2017 21:00 UTC
Return-Path: <jsha@eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43C31129B78 for <acme@ietfa.amsl.com>; Mon, 13 Mar 2017 14:00:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.004
X-Spam-Level:
X-Spam-Status: No, score=-7.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q-o1YmYd1VLM for <acme@ietfa.amsl.com>; Mon, 13 Mar 2017 14:00:41 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97340129B64 for <acme@ietf.org>; Mon, 13 Mar 2017 14:00:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=N31v0PE0m/QAwAVwg58kI/6redvCCD0eFBgBErYF0M4=; b=JPtF8op1O+fAmqWwOIg87n5+d5GnfWv5RKgyBnSdopKmGyoQ2HJG8K1qVixUpGb/ZUA2Mz7tdtxfhUqQIBy+8FPUQRF7YGE6k7IjYFgjUyX7jhJ7UEWuuiucz6Flb/qe4AtdRVCvBMEBqfDT0+svS7e/AjFAatX4ZXjsxJumatA=;
Received: ; Mon, 13 Mar 2017 14:00:43 -0700
To: acme@ietf.org
References: <8473d9ba84894d49b2f2232370d66b46@usma1ex-dag1mb3.msg.corp.akamai.com> <20170307031510.GN7733@mournblade.imrryr.org> <20170307032023.GO7733@mournblade.imrryr.org> <9471a5323a98405eaf0ee111fb0350b0@usma1ex-dag1mb3.msg.corp.akamai.com> <20170313201410.GG4095@mournblade.imrryr.org>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <3b319b98-64f2-5ed9-fa2e-460c574459d1@eff.org>
Date: Mon, 13 Mar 2017 14:00:40 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <20170313201410.GG4095@mournblade.imrryr.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/NtwyhBTMxn11AVS5S79e5IVnoUU>
Subject: Re: [Acme] ACME draft is now in WGLC.
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 21:00:43 -0000
As Rich said, the CA/Browser Forum has indeed voted to mandate CAA. Hooray! On 03/13/2017 01:14 PM, Viktor Dukhovni wrote: > I've had complete disinterest in CAA which initially was accepted > by CA/B forum as a "recommendation", which meant that the constraint > was meaningless. Rumour has it that CAA will soon be a requirement, > so I've now published CAA records. The CAA check is/was easy to > make and crippling it by not making it a requirement was IMNSHO a > mistake. I think by this you mean that the CA/Browser Forum should have mandated CAA support in its Baseline Requirements, back when it first adopted CAA as "recommended." Is that right? I think the analogous goal here is that you'd like the CA/Browser Forum to mandate use of a DNSSEC-validating recursive resolver during DNS-based validation procedures. That's great! However, I don't think mandating use of a DNSSEC-validating resolver in the ACME spec will achieve that goal, since the CA/Browser Forum is not planning to mandate use of the ACME spec. I realize that the CA/Browser Forum seems relatively opaque and hard to participate in, but if you check their bylaws it is possible for any member of the public (not just a CA or a Browser) to directly participate in the mailing list by submitting a simple form. I'd encourage you to get involved!
- [Acme] ACME draft is now in WGLC. Salz, Rich
- Re: [Acme] ACME draft is now in WGLC. Jacob Hoffman-Andrews
- Re: [Acme] ACME draft is now in WGLC. Salz, Rich
- Re: [Acme] ACME draft is now in WGLC. housley
- Re: [Acme] ACME draft is now in WGLC. Martin Thomson
- Re: [Acme] ACME draft is now in WGLC. Anders Rundgren
- Re: [Acme] ACME draft is now in WGLC. Salz, Rich
- Re: [Acme] ACME draft is now in WGLC. Russ Housley
- Re: [Acme] ACME draft is now in WGLC. Jacob Hoffman-Andrews
- Re: [Acme] ACME draft is now in WGLC. Anders Rundgren
- Re: [Acme] ACME draft is now in WGLC. Viktor Dukhovni
- Re: [Acme] ACME draft is now in WGLC. Viktor Dukhovni
- Re: [Acme] ACME draft is now in WGLC. Salz, Rich
- Re: [Acme] ACME draft is now in WGLC. Viktor Dukhovni
- Re: [Acme] ACME draft is now in WGLC. Salz, Rich
- Re: [Acme] ACME draft is now in WGLC. Jacob Hoffman-Andrews
- Re: [Acme] ACME draft is now in WGLC. Viktor Dukhovni
- Re: [Acme] ACME draft is now in WGLC. Hugo Landau
- Re: [Acme] ACME draft is now in WGLC. Richard Barnes
- Re: [Acme] ACME draft is now in WGLC. Phillip Hallam-Baker
- Re: [Acme] ACME draft is now in WGLC. Richard Barnes