Skip to content

Commit

Permalink
Ben's 3.2.2.8 wording suggestions
Browse files Browse the repository at this point in the history
  • Loading branch information
@wthayer
wthayer authored Jan 24, 2025
1 parent ce01855 commit 5104234
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions docs/BR.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1087,8 +1087,9 @@ CAs MAY check CAA records at any other time.
When processing CAA records, CAs MUST process the issue, issuewild, and iodef property tags as specified in RFC 8659, although they are not required to act on the contents of the iodef property tag. Additional property tags MAY be supported, but MUST NOT conflict with or supersede the mandatory property tags set out in this document. CAs MUST respect the critical flag and not issue a certificate if they encounter an unrecognized property tag with this flag set.

*Effective March 15, 2026*, when processing CAA records, CAs MUST process the accounturi and validationmethods parameters as specified in RFC 8657. In addition:
* If the CA accepts certificate requests via any protocol other than the ACME protocol defined in RFC 8555, the CA MUST define the recognized format of the accounturi in this [Section 3.2.2.8](#3228-caa-records) of their CPS.
* If the CA accepts certificate requests via any protocol other than the ACME protocol defined in RFC 8555, the CA MUST recognize validationmethods labels formed by concatenating the string ‘ca-dv-’ with the BR 3.2.2.4 subsection number, e.g. ‘ca-dv-7’ represents the DNS method described in TLS BR 3.2.2.4.7.
* If the CA accepts certificate requests via any protocol other than the ACME protocol defined in RFC 8555, the CA MUST define the supported format of the accounturi in this [Section 3.2.2.8](#3228-caa-records) of their CPS.

This comment has been minimized.

Sign in to view

Copy link
@romanf

romanf Jan 25, 2025

Can we remove the requirement to put it in EXACTLY the section 3.2.2.8?

... the CA MUST define the supported format of the accounuri in their CPS.

This comment has been minimized.

Sign in to view

Copy link
@BenWilson-Mozilla

BenWilson-Mozilla Jan 27, 2025

Contributor

@romanf Hi Roman, Is the issue that section 3.2.2.8 is already being used for some other stated purpose in some CA's CP or CPS? Or what is the reason?

This comment has been minimized.

Sign in to view

Copy link
@romanf

romanf Jan 27, 2025

RFC 3647 doesn't go beyond 3.2.2. So I guess we're not the only CA that doesn't have 3.2.2.8 and we would have to create "empty" 3.2.2.1 .. 3.2.2.7 which doesn't make much sense. ;-)
*
* If the CA accepts certificate requests via any protocol other than the ACME protocol defined in RFC 8555, the CA MUST interpret and process validationmethods labels formed by concatenating the string ‘ca-dv-’ with the BR 3.2.2.4 subsection number, e.g. ‘ca-dv-7’ represents the DNS method described in TLS BR 3.2.2.4.7.

If the CA issues a certificate after processing a CAA record, it MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.

Expand Down

0 comments on commit 5104234

Please sign in to comment.