CAA: Challenge Types

Feature Requests
1

A CAA flag to limit acceptable challenges types would be quite neat to exclude potentially less secure challenge types (application dependant) or to enforce domain policy (for example, all challenges on my end are handled though a secure API that our ACME clients use to manage _acme-challenge DNS records for authorized hostnames)

For example, if I only wanted to allow DNS-01 for issuance I could explicitly call it out in the CAA record. Same could go for multiple methods: for example, if I only wanted to allow DNS-01 and TNS-SNI-01.

I’m not too sure on the aspects of CAA such as what adding things to it would look like (even if it’s a Let’s Encrypt/CA/vendor specific flag).

2

Hi @jwilliams,

Have you seen @hlandau's work on this for RFC 8657 - Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding ? I believe Section 4 "Extensions to the CAA Record: acme-methods Parameter" is exactly what you're asking for :slight_smile:

We're following this draft through the IETF process & I'm definitely supportive of its goals. It seems likely that we will eventually implement it but it isn't on the immediate roadmap (it's hard enough keeping up with the base ACME draft!).

2 Likes
3

I had not – very nice to see, thanks! The account-uri is also an interesting additional barrier :slight_smile:

No worries regarding the roadmap on Let’s Encrypt’s end

1 Like
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.