The future of CAA


#1

What will happen when LE reaches critical mass acceptance?
If (almost) every domain includes the same CA:
issue: letsencrypt.org
issuewild: letsencrypt.org
What good would using CAA do?

Should it be broken down into smaller blocks?
By country?
issue: us.letsencrypt.org
issue: de.letsencrypt.org
By intermediaries?
issue: int15.letsencrypt.org
issue: int44.letsencrypt.org


#2

https://tools.ietf.org/html/draft-ietf-acme-caa-03

I’m hoping for it to be implemented in Boulder so a zero-trust acme-dns can be created, saving everybody the trouble of hosting their own.

  1. User sets account-uri on their CAA
  2. acme-dns checks for presence of account-uri before updating TXT record
  3. Profit

#3

I’ve heard that not everyone in the CA/Browser Forum is in complete agreement about the right way to do that, but hopefully if the IETF process reaches a consensus, the CA/B Forum will be OK with that consensus too.


#4

Although one single account may not fit everyones needs.
It is definitely working in the right direction.
I’m glad it’s being worked on.


#5

You can have multiple CAA records, so you can use a different account-uri for every hostname.


#6

What good would using CAA do?

It would “prevent” any CA other than Lets Encrypt (whom you presumably trust) issuing a cert for your site. Which is all it has ever done.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.