Signed HTTP Exchanges require SSL certificates with the CanSignHttpExchanges extension. DigiCert is currently the only provider of these certificates. It would be wonderful if support for this extension could be incorporated into Let’s Encrypt certificate generation.
I haven't been following any of this Signed HTTP Exchanges work. Thanks for opening a thread and sharing some context.
I think it's likely too early in this draft's development for Let's Encrypt to prioritize implementation. It looks like it has a ways to go within the IETF before it would be an internet standard.
Beyond the x.509 extension draft-yasskin-http-origin-signed-responsessection 4.2 "Certificate Requirements" mentions:
A conforming CA MUST NOT issue certificates with this extension unless, for each dNSName in the subjectAltName extension of the certificate to be issued:
An “issue” or “issuewild” CAA property ([RFC6844]) exists that authorizes the CA to issue the certificate; and
The “cansignhttpexchanges” parameter (Section 4.2.1) is present on the property and is equal to “yes”
Part #2 of this would require development work in Boulder to process the "cansignhttpexchanges" CAA property that the draft introduces.
