[cabf_validation] CAA Tags, concrete proposal

Tim Hollebeek tim.hollebeek at digicert.com
Mon Dec 18 12:10:00 MST 2017

I personally find OIDs very hard for non-technical users to grasp.  And even for technical users who haven’t seen them before.  I agree numbers are bad, but why don’t you like readable text labels, like Validation=Phone?


I think account and account-uri are complimentary approaches.  I agree that CAs need the freedom to put whatever they want on the right hand side of these, and many CAs have existing customer identification schemes that are not URIs, so the account-uri field cannot be used.




From: Jacob Hoffman-Andrews [mailto:jsha at letsencrypt.org] 
Sent: Friday, December 15, 2017 3:54 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] CAA Tags, concrete proposal


Hi! I like the ideas here, generally. Some very similar ideas have been brought up in https://tools.ietf.org/html/draft-ietf-acme-caa-03, in particular the account-uri parameter. I'd recommend using the same syntax, and allowing CAs to decide on their own account-uri schemes.


For the validation methods, rather than bare numbers, I think it would be useful to assign OIDs to the validation methods currently in the BRs (if there aren't OIDs already assigned), and use those as a long-term unambiguous reference. This has the advantage that it's also relatively straightforward to embed OIDs designation validation methods in certificates if CAs decide to do that.


On Thu, Dec 14, 2017 at 1:10 PM, Tim Hollebeek via Validation <validation at cabforum.org <mailto:validation at cabforum.org> > wrote:


Attached is a document that attempts to make a concrete proposal about how the CAA tags that have been discussed recently might work.


Comments welcome.




Validation mailing list
Validation at cabforum.org <mailto:Validation at cabforum.org> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20171218/23b5f0f1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20171218/23b5f0f1/attachment.p7s>

More information about the Validation mailing list