ACME CAA Extensions to Become Mandatory

8 points by fanf

commanderk

Comment removed by author

gcupc

This looks like another hoop domain owners will have to jump through in order to publish anything to the web, but perhaps I am not understanding it?

hoistbypetard

Your read does not match mine.

My read is that for certification authorities who use ACME to issue domain-validated certificates to meet the requirements of the CA/Browser forum, those authorities will need to implement the ACME CAA extensions.

From your perspective, the only thing that changes is that if you publish a CAA record, these ACME CAs are now obligated to respect it (and browsers can check/enforce it), or they won't be allowed as trusted CAs in most browsers anymore.

It's a required hoop for CAs. And LetsEncrypt already supports it. For domain owners, it's just an extra knob they can use to make the CAs and browsers behave the way they want.
- gcupc
  
  Ah, a required hoop for CAs is fine. I appreciate the clarification.