Skip to content

SC-098: Process RFC 8657 CAA Parameters#567

Open
wthayer wants to merge 53 commits intomainfrom
SC-XX-Process-RFC-8657-CAA-Parameters
Open

SC-098: Process RFC 8657 CAA Parameters#567
wthayer wants to merge 53 commits intomainfrom
SC-XX-Process-RFC-8657-CAA-Parameters

Conversation

@wthayer
Copy link
Copy Markdown
Contributor

@wthayer wthayer commented Jan 2, 2025

Update 3.2.2.8 to require that CAs process CAA accounturi and validationmethod parameters defined in RFC 8657

Fixes #353

@wthayer wthayer requested a review from a team as a code owner January 2, 2025 22:11
robstradling
robstradling previously requested changes Jan 3, 2025
View reviewed changes
Comment thread docs/BR.md Outdated
Comment thread docs/BR.md Outdated
wthayer and others added 5 commits January 3, 2025 14:40
@wthayer @robstradling
Update CPS requirement
931a430 
Co-authored-by: Rob Stradling <rob@sectigo.com>
@wthayer @robstradling
Move to ca-defined method labels
7ab7800 
Co-authored-by: Rob Stradling <rob@sectigo.com>
@wthayer
Add 8657 compliance
1c745f6 
- validationmethod labels must comply with section 4 of RFC 8657
- Update effective date format
- Add 'this section' to CPS requirements.
@wthayer
Add 8555 and 8657 references
eb6123c
@wthayer
Link section refs
9966da5
geegeea
geegeea reviewed Jan 8, 2025
View reviewed changes
Comment thread docs/BR.md Outdated
@srdavidson srdavidson mentioned this pull request Jan 9, 2025
Open
@wthayer wthayer changed the title SC-XX: Process RFC 8657 CAA Parameters SC-XX: Require DNSSEC Validatiion and Process RFC 8657 CAA Parameters Jan 22, 2025
@wthayer wthayer changed the title SC-XX: Require DNSSEC Validatiion and Process RFC 8657 CAA Parameters SC-XX: Require DNSSEC Validation and Process RFC 8657 CAA Parameters Jan 22, 2025
@wthayer
Copy link
Copy Markdown
Contributor Author

wthayer commented Jan 26, 2025

Updated based on 24-Jan Validation meeting:

  • still specifying the CA-specific label format. consensus was that this does not violate the RFC
  • adopted Ben's wording
  • rearranged 3.2.2.8 and added subsections
  • Changed MUST date to 2027 for parameters. Left the 2026 date for DNSSEC since it's arguably a clarification
  • Drafted a recommendation that CAs accept validationmethods labels from ACME or the BRs

@dzacharo
Copy link
Copy Markdown
Contributor

dzacharo commented Feb 11, 2025

This also seems to address #352

CBonnell
CBonnell reviewed Feb 11, 2025
View reviewed changes
Comment thread docs/BR.md Outdated
wthayer and others added 2 commits February 11, 2025 14:55
@wthayer @CBonnell
Allow multiple accounturi formats
772c9b3 
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
@wthayer
Add effective date for CPS + label format
dc7546e
@wthayer wthayer changed the title SC-XX: Require DNSSEC Validation and Process RFC 8657 CAA Parameters SC-XX: Process RFC 8657 CAA Parameters Mar 6, 2025
robstradling
robstradling reviewed Feb 24, 2026
View reviewed changes
Comment thread docs/BR.md Outdated
@wthayer wthayer dismissed robstradling’s stale review April 2, 2026 03:02

the requested changes have been incorporated.

@sheurich sheurich mentioned this pull request Apr 16, 2026
Open
ChristopherRC
ChristopherRC reviewed Apr 17, 2026
View reviewed changes
Comment thread docs/BR.md Outdated
geegeea
geegeea reviewed Apr 17, 2026
View reviewed changes
Comment thread docs/BR.md Outdated
Comment thread docs/BR.md Outdated
sheurich
sheurich reviewed Apr 23, 2026
View reviewed changes
Comment thread docs/BR.md
sheurich
sheurich reviewed Apr 23, 2026
View reviewed changes
Comment thread docs/BR.md Outdated
sheurich
sheurich reviewed Apr 23, 2026
View reviewed changes
Comment thread docs/BR.md Outdated
sheurich
sheurich reviewed Apr 23, 2026
View reviewed changes
Comment thread docs/BR.md Outdated
sheurich
sheurich reviewed Apr 23, 2026
View reviewed changes
Comment thread docs/BR.md Outdated
wthayer and others added 10 commits April 26, 2026 15:12
@wthayer @ChristopherRC
For ACME, add accounturi parent/child option
e6fd6f3 
Co-authored-by: Chris Clements <cclements@google.com>
@wthayer @geegeea
Remove implicit requirement to exactly implement RFC 8555
7f59ca4 
Co-authored-by: Gurleen Grewal <gurleen.grewal@gmail.com>
@wthayer @geegeea
Remove implicit requirement to exactly implement RFC 8555
6a3ea47 
Co-authored-by: Gurleen Grewal <gurleen.grewal@gmail.com>
@wthayer @sheurich
Replace missing sentence.
f4c39e4 
Co-authored-by: Shiloh Heurich <1778483+sheurich@users.noreply.github.com>
@wthayer @sheurich
Fix links
b1ca051 
Co-authored-by: Shiloh Heurich <1778483+sheurich@users.noreply.github.com>
@wthayer @sheurich
Fix formatting
3dd27be 
Co-authored-by: Shiloh Heurich <1778483+sheurich@users.noreply.github.com>
@wthayer @sheurich
Clarify reference
572fc17 
Co-authored-by: Shiloh Heurich <1778483+sheurich@users.noreply.github.com>
@wthayer @sheurich
Fix formatting
3b8c991 
Co-authored-by: Shiloh Heurich <1778483+sheurich@users.noreply.github.com>
@wthayer
Fix formatting
4330d02
@wthayer
Fix section numbering
515ba35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robstradling robstradling robstradling left review comments

@CBonnell CBonnell CBonnell left review comments

@aarongable aarongable aarongable left review comments

@XolphinMartijn XolphinMartijn XolphinMartijn left review comments

+5 more reviewers

@sheurich sheurich sheurich left review comments

@orangepizza orangepizza orangepizza left review comments

@ChristopherRC ChristopherRC ChristopherRC left review comments

@geegeea geegeea geegeea left review comments

@shuvosarker22 shuvosarker22 shuvosarker22 approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Define standard CAA semantics for limiting cert issuance