[Acme] CAA record proposal
Hugo Landau <hlandau@devever.net> Wed, 02 December 2015 19:08 UTC
Return-Path: <hlandau@devever.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F5A11ACEBC for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 11:08:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NXAI3vc0H-Hw for <acme@ietfa.amsl.com>; Wed, 2 Dec 2015 11:08:35 -0800 (PST)
Received: from umbriel.devever.net (umbriel.devever.net [149.202.51.241]) by ietfa.amsl.com (Postfix) with ESMTP id DF86E1ACEBB for <acme@ietf.org>; Wed, 2 Dec 2015 11:08:34 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id 11A081C855 for <acme@ietf.org>; Wed, 2 Dec 2015 20:08:34 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= user-agent:content-disposition:content-type:content-type :mime-version:message-id:subject:subject:from:from:date:date :received:received; s=mimas; t=1449083313; x=1467272674; bh=R5js wHLYbGGhpK7IkZfCk4e3MJUgIDmE2NN5qAPLhyg=; b=bHrIHcoS5xzBy+64iYl7 HPhFA9WOP3+DsJYVIb5Yzag4TvNVHK2sCHOdidjWkDDO0UY7UhScIp0OKZUUoqye rxa+SwMh3assyv8jiHCygfUJyYJxHfeu2ivLyXzj2qCeMdokfCGkN8sVSlFazRYG CWvwMtpYh2Y6PCTBdh4dCbjw3fXXdvkvgYVsDHmuaUV35LKfaw3gy5M83DqV4ZUy heAeVKB/3k+ZCcUcil3SjTtZfNlyfAFYc0YpxbKlZhhD5fxvUDj4DMO4BHIf+HgG xX1t/WQ1hDliZvMyhuatzwzbnLmZcCLPv4LNfSe3FweQMjKW0IWDRvmm14q0wVZG kA==
Received: from umbriel.devever.net ([127.0.0.1]) by localhost (umbriel.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id 3VKP0z6CK0Si for <acme@ietf.org>; Wed, 2 Dec 2015 20:08:33 +0100 (CET)
Received: from andover (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with SMTP id D1B901C854 for <acme@ietf.org>; Wed, 2 Dec 2015 20:08:33 +0100 (CET)
Date: Wed, 02 Dec 2015 19:08:33 +0000
From: Hugo Landau <hlandau@devever.net>
To: acme@ietf.org
Message-ID: <20151202190833.GA8385@andover>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/_afuTR_aukG_dAOjV3Qad3xCWFU>
Subject: [Acme] CAA record proposal
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 19:08:38 -0000
I'd like to propose the following addition to the specification.
Any comments?
CAA Record Use
--------------
An ACME server SHOULD support CAA DNS records as described in
{{RFC6844}}. The server SHOULD look for such records when issuing
authorizations, as opposed to when issuing certificates.
CAA is designed to be extensible beyond mere CA-level authorization. It
is RECOMMENDED that ACME servers support the following account key
parameter to allow issuance to be restricted to the bearer of a given
account key.
A CAA record parameter "acme-ak" is defined. The value of this parameter
MUST be the base64url encoding of the JWK thumbprint of the account key.
If an ACME server finds multiple CAA records pertaining to it (i.e.,
having property 'issue' and a domain that the ACME server recognises as
its own) with different "acme-ak" parameters, at least one of the
specified key thumbprints must match the requesting account key. A
record without an "acme-ak" parameter matches any account key. A record
with an invalid "acme-ak" parameter or multiple "acme-ak" parameters
(i.e. not 44 characters long and a valid base64url string) or multiple
"acme-ak" parameters is unsatisfiable.
The following shows an example configuration which nominates two account
keys as authorized to issue certificates for the domain example.com.
Issuance is restricted to the CA "example.net".
example.com. IN CAA 0 issue "example.net; acme-ak=UKNmi2whPhuAhDvAxGa_aOZgPzyJDhhsrt-8Bt2fWh0="
example.com. IN CAA 0 issue "example.net; acme-ak=rlp4OZPOR9MKejkOdZAKQ5Tfwce6llawmrDIh-BtNJ0="
- [Acme] CAA record proposal Hugo Landau