On 2020-03-07 at 04:29 -0500, Viktor Dukhovni wrote:
Here opinions differ. Trusting a CA that validates domain control as
weakly as Let's Encrypt would not be my choice. But with half the
world trusting Let's Encrypt's "proofs" of domain control, you can
perhaps be comfortable in knowing that you're not alone...
If that's the concern, then tell Let's Encrypt which accounts are
allowed to issue certificates for your domain.
Eg, in the zonefile for `spodhuis.org` I have:
@ CAA 0 issue "globnix.net"
@ CAA 0 issue "letsencrypt.org\;
accounturi=https://acme-v01.api.letsencrypt.org/acme/reg/1134193";
@ CAA 0 issue "letsencrypt.org\;
accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/12581965";
@ CAA 0 issue "letsencrypt.org\;
accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/79096293";
@ CAA 0 issuewild ";"
@ CAA 0 iodef "mailto:security(_at_)spodhuis(_dot_)org"
See RFC 8657 for more on `accounturi`.
(Ignore my in-house CA `globnix.net`; and I recommend comments in the
zonefile or whatever you use, to index those account numbers and keep
things straight.)
-Phil
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp