Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SC-XX: Require DNSSEC Validation and Process RFC 8657 CAA Parameters #567

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

SC-XX: Require DNSSEC Validation and Process RFC 8657 CAA Parameters #567

Changes from 6 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
34c69a0
Update 3.2.2.8
wthayer Jan 2, 2025
931a430
Update CPS requirement
wthayer Jan 3, 2025
7ab7800
Move to ca-defined method labels
wthayer Jan 3, 2025
1c745f6
Add 8657 compliance
wthayer Jan 3, 2025
eb6123c
Add 8555 and 8657 references
wthayer Jan 3, 2025
9966da5
Link section refs
wthayer Jan 3, 2025
102b4d8
Incorporate Clint's DNSSEC requirements
wthayer Jan 22, 2025
ce01855
Specify validationmethods format
wthayer Jan 22, 2025
5104234
Ben's 3.2.2.8 wording suggestions
wthayer Jan 24, 2025
194b9de
Reformat 3.2.2.8 and add subsections
wthayer Jan 26, 2025
6102730
Attempt to clarify dns-01 vs ca-dv-7 processing.
wthayer Jan 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions docs/BR.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -609,6 +609,10 @@ RFC7538, Request For Comments: 7538, The Hypertext Transfer Protocol Status Code

RFC8499, Request for Comments: 8499, DNS Terminology. P. Hoffman, et al. January 2019.

RFC8555, Request for Comments: 8555, Automatic Certificate Management Environment (ACME). R. Barnes, et al. March 2019.

RFC8657, Request for Comments: 8657, Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding. H. Landau, et al. November 2019.

RFC8659, Request for Comments: 8659, DNS Certification Authority Authorization (CAA) Resource Record. P. Hallam-Baker, et al. November 2019.

RFC8738, Request for Comments: 8738, Automated Certificate Management Environment (ACME) IP Identifier Validation Extension. R.B.Shoemaker, Ed. February 2020.
Expand Down Expand Up @@ -1082,6 +1086,10 @@ CAs MAY check CAA records at any other time.

When processing CAA records, CAs MUST process the issue, issuewild, and iodef property tags as specified in RFC 8659, although they are not required to act on the contents of the iodef property tag. Additional property tags MAY be supported, but MUST NOT conflict with or supersede the mandatory property tags set out in this document. CAs MUST respect the critical flag and not issue a certificate if they encounter an unrecognized property tag with this flag set.

*Effective September 15, 2025*, when processing CAA records, CAs MUST process the accounturi and validationmethods parameters as specified in RFC 8657. In addition:
wthayer marked this conversation as resolved.
Show resolved Hide resolved
* If the CA accepts certificate requests via any protocol other than the ACME protocol defined in RFC 8555, the CA MUST define the recognized format of the accounturi in this [Section 3.2.2.8](#3228-caa-records) of their CPS.
* The CA MUST define each recognized validationmethods label, along with the corresponding Section 3.2.2.4 subsection number, in this [Section 3.2.2.8](#3228-caa-records) of their CPS. Labels MUST comply with Section 4 of RFC 8657.

If the CA issues a certificate after processing a CAA record, it MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.

RFC 8659 requires that CAs "MUST NOT issue a certificate unless the CA determines that either (1) the certificate request is consistent with the applicable CAA RRset or (2) an exception specified in the relevant CP or CPS applies." For issuances conforming to these Baseline Requirements, CAs MUST NOT rely on any exceptions specified in their CP or CPS unless they are one of the following:
Expand Down
Loading