Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SC-XX: Require DNSSEC Validation and Process RFC 8657 CAA Parameters #567

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

SC-XX: Require DNSSEC Validation and Process RFC 8657 CAA Parameters #567

wants to merge 11 commits into from
+30 −10

Conversation

wthayer
Copy link
Contributor

@wthayer wthayer commented Jan 2, 2025

Update 3.2.2.8 to require that CAs process CAA accounturi and validationmethod parameters defined in RFC 8657

Fixes #353

@wthayer wthayer requested a review from a team as a code owner January 2, 2025 22:11
robstradling
robstradling suggested changes Jan 3, 2025
View reviewed changes
docs/BR.md Outdated Show resolved Hide resolved
docs/BR.md Outdated Show resolved Hide resolved
wthayer and others added 5 commits January 3, 2025 14:40
@wthayer @robstradling
Update CPS requirement
931a430 
Co-authored-by: Rob Stradling <[email protected]>
@wthayer @robstradling
Move to ca-defined method labels
7ab7800 
Co-authored-by: Rob Stradling <[email protected]>
@wthayer
Add 8657 compliance
1c745f6 
- validationmethod labels must comply with section 4 of RFC 8657
- Update effective date format
- Add 'this section' to CPS requirements.
@wthayer
Add 8555 and 8657 references
eb6123c
@wthayer
Link section refs
9966da5
geegeea
geegeea reviewed Jan 8, 2025
View reviewed changes
docs/BR.md Outdated Show resolved Hide resolved
@srdavidson srdavidson mentioned this pull request Jan 9, 2025
Open
@wthayer wthayer changed the title SC-XX: Process RFC 8657 CAA Parameters SC-XX: Require DNSSEC Validatiion and Process RFC 8657 CAA Parameters Jan 22, 2025
@wthayer wthayer changed the title SC-XX: Require DNSSEC Validatiion and Process RFC 8657 CAA Parameters SC-XX: Require DNSSEC Validation and Process RFC 8657 CAA Parameters Jan 22, 2025
@wthayer
Copy link
Contributor Author

wthayer commented Jan 26, 2025

Updated based on 24-Jan Validation meeting:

  • still specifying the CA-specific label format. consensus was that this does not violate the RFC
  • adopted Ben's wording
  • rearranged 3.2.2.8 and added subsections
  • Changed MUST date to 2027 for parameters. Left the 2026 date for DNSSEC since it's arguably a clarification
  • Drafted a recommendation that CAs accept validationmethods labels from ACME or the BRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geegeea geegeea geegeea left review comments

@robstradling robstradling robstradling requested changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Define standard CAA semantics for limiting cert issuance
4 participants
@wthayer @robstradling @romanf @geegeea