The future of CAA


What will happen when LE reaches critical mass acceptance?
If (almost) every domain includes the same CA:
What good would using CAA do?

Should it be broken down into smaller blocks?
By country?
By intermediaries?


I’m hoping for it to be implemented in Boulder so a zero-trust acme-dns can be created, saving everybody the trouble of hosting their own.

  1. User sets account-uri on their CAA
  2. acme-dns checks for presence of account-uri before updating TXT record
  3. Profit


I’ve heard that not everyone in the CA/Browser Forum is in complete agreement about the right way to do that, but hopefully if the IETF process reaches a consensus, the CA/B Forum will be OK with that consensus too.


Although one single account may not fit everyones needs.
It is definitely working in the right direction.
I’m glad it’s being worked on.


You can have multiple CAA records, so you can use a different account-uri for every hostname.


What good would using CAA do?

It would “prevent” any CA other than Lets Encrypt (whom you presumably trust) issuing a cert for your site. Which is all it has ever done.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.