Michalis Kamprianis
Josh Aas 🇺🇦Let’s Encrypt deployed new CAA extensions to production today.
The first allows subscribers to restrict issuance to particular ACME accounts. This is important, for example, for subscribers that want to allow issuance from Let’s Encrypt but require issuance for the domain to happen via a certain account that can be centrally controlled. Previously some subscribers have wanted to enable Let’s Encrypt but worried about anyone in the org being able to issue with no oversight.
The second allows for restricting the validation methods that can be used (DNS, HTTP, or TLS-ALPN). If a subscriber believes one method to be more secure, or is preferable for any other reason, they can require its use now.
I don’t really expect these to become widely used, but for some subscribers and organizations they will be important controls.
The first allows subscribers to restrict issuance to particular ACME accounts. This is important, for example, for subscribers that want to allow issuance from Let’s Encrypt but require issuance for the domain to happen via a certain account that can be centrally controlled. Previously some subscribers have wanted to enable Let’s Encrypt but worried about anyone in the org being able to issue with no oversight.
The second allows for restricting the validation methods that can be used (DNS, HTTP, or TLS-ALPN). If a subscriber believes one method to be more secure, or is preferable for any other reason, they can require its use now.
I don’t really expect these to become widely used, but for some subscribers and organizations they will be important controls.
networkException