Skip to content

SC-098: Process RFC 8657 CAA Parameters#567

Merged
dzacharo merged 56 commits into
mainfrom
SC-XX-Process-RFC-8657-CAA-Parameters
Jun 16, 2026
Merged

SC-098: Process RFC 8657 CAA Parameters#567
dzacharo merged 56 commits into
mainfrom
SC-XX-Process-RFC-8657-CAA-Parameters

Conversation

@wthayer

@wthayer wthayer commented Jan 2, 2025

Copy link
Copy Markdown
Contributor

Update 3.2.2.8 to require that CAs process CAA accounturi and validationmethod parameters defined in RFC 8657

Fixes #353

@wthayer wthayer requested a review from a team as a code owner January 2, 2025 22:11
robstradling
robstradling previously requested changes Jan 3, 2025
View reviewed changes
Comment thread docs/BR.md Outdated
Comment thread docs/BR.md Outdated
wthayer and others added 5 commits January 3, 2025 14:40
@wthayer @robstradling
Update CPS requirement
931a430 
Co-authored-by: Rob Stradling <rob@sectigo.com>
@wthayer @robstradling
Move to ca-defined method labels
7ab7800 
Co-authored-by: Rob Stradling <rob@sectigo.com>
@wthayer
Add 8657 compliance
1c745f6 
- validationmethod labels must comply with section 4 of RFC 8657
- Update effective date format
- Add 'this section' to CPS requirements.
@wthayer
Add 8555 and 8657 references
eb6123c
@wthayer
Link section refs
9966da5
geegeea
geegeea reviewed Jan 8, 2025
View reviewed changes
Comment thread docs/BR.md Outdated
@srdavidson srdavidson mentioned this pull request Jan 9, 2025
Open
@wthayer wthayer changed the title SC-XX: Process RFC 8657 CAA Parameters SC-XX: Require DNSSEC Validatiion and Process RFC 8657 CAA Parameters Jan 22, 2025
@wthayer wthayer changed the title SC-XX: Require DNSSEC Validatiion and Process RFC 8657 CAA Parameters SC-XX: Require DNSSEC Validation and Process RFC 8657 CAA Parameters Jan 22, 2025
@wthayer

wthayer commented Jan 26, 2025

Copy link
Copy Markdown
Contributor Author

Updated based on 24-Jan Validation meeting:

  • still specifying the CA-specific label format. consensus was that this does not violate the RFC
  • adopted Ben's wording
  • rearranged 3.2.2.8 and added subsections
  • Changed MUST date to 2027 for parameters. Left the 2026 date for DNSSEC since it's arguably a clarification
  • Drafted a recommendation that CAs accept validationmethods labels from ACME or the BRs

@dzacharo

dzacharo commented Feb 11, 2025

Copy link
Copy Markdown
Contributor

This also seems to address #352

CBonnell
CBonnell reviewed Feb 11, 2025
View reviewed changes
Comment thread docs/BR.md Outdated
wthayer and others added 2 commits February 11, 2025 14:55
@wthayer @CBonnell
Allow multiple accounturi formats
772c9b3 
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
@wthayer
Add effective date for CPS + label format
dc7546e
@wthayer wthayer changed the title SC-XX: Require DNSSEC Validation and Process RFC 8657 CAA Parameters SC-XX: Process RFC 8657 CAA Parameters Mar 6, 2025
@sheurich sheurich mentioned this pull request Apr 16, 2026
Closed
ChristopherRC
ChristopherRC reviewed Apr 17, 2026
View reviewed changes
Comment thread docs/BR.md Outdated
geegeea
geegeea reviewed Apr 17, 2026
View reviewed changes
Comment thread docs/BR.md Outdated
Comment thread docs/BR.md Outdated
sheurich
sheurich reviewed Apr 23, 2026
View reviewed changes
Comment thread docs/BR.md
sheurich
sheurich reviewed Apr 23, 2026
View reviewed changes
Comment thread docs/BR.md Outdated
sheurich
sheurich reviewed Apr 23, 2026
View reviewed changes
Comment thread docs/BR.md Outdated
sheurich
sheurich reviewed Apr 23, 2026
View reviewed changes
Comment thread docs/BR.md Outdated
sheurich
sheurich reviewed Apr 23, 2026
View reviewed changes
Comment thread docs/BR.md Outdated
wthayer and others added 13 commits April 26, 2026 15:12
@wthayer @ChristopherRC
For ACME, add accounturi parent/child option
e6fd6f3 
Co-authored-by: Chris Clements <cclements@google.com>
@wthayer @geegeea
Remove implicit requirement to exactly implement RFC 8555
7f59ca4 
Co-authored-by: Gurleen Grewal <gurleen.grewal@gmail.com>
@wthayer @geegeea
Remove implicit requirement to exactly implement RFC 8555
6a3ea47 
Co-authored-by: Gurleen Grewal <gurleen.grewal@gmail.com>
@wthayer @sheurich
Replace missing sentence.
f4c39e4 
Co-authored-by: Shiloh Heurich <1778483+sheurich@users.noreply.github.com>
@wthayer @sheurich
Fix links
b1ca051 
Co-authored-by: Shiloh Heurich <1778483+sheurich@users.noreply.github.com>
@wthayer @sheurich
Fix formatting
3dd27be 
Co-authored-by: Shiloh Heurich <1778483+sheurich@users.noreply.github.com>
@wthayer @sheurich
Clarify reference
572fc17 
Co-authored-by: Shiloh Heurich <1778483+sheurich@users.noreply.github.com>
@wthayer @sheurich
Fix formatting
3b8c991 
Co-authored-by: Shiloh Heurich <1778483+sheurich@users.noreply.github.com>
@wthayer
Fix formatting
4330d02
@wthayer
Fix section numbering
515ba35
@dzacharo
Merge branch 'main' into SC-XX-Process-RFC-8657-CAA-Parameters
f570c56
@dzacharo
Merge branch 'main' into SC-XX-Process-RFC-8657-CAA-Parameters
f0b5218
@dzacharo
Update version number and tables in sections 1.2.1, 1.2.2
bb99f54
@dzacharo dzacharo merged commit 9270ad7 into main Jun 16, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robstradling robstradling robstradling left review comments
@CBonnell CBonnell CBonnell left review comments
@aarongable aarongable aarongable left review comments
@XolphinMartijn XolphinMartijn XolphinMartijn left review comments
@dzacharo dzacharo dzacharo approved these changes
+5 more reviewers
@sheurich sheurich sheurich left review comments
@orangepizza orangepizza orangepizza left review comments
@ChristopherRC ChristopherRC ChristopherRC left review comments
@geegeea geegeea geegeea left review comments
@shuvosarker22 shuvosarker22 shuvosarker22 approved these changes
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Define standard CAA semantics for limiting cert issuance