[Top] [All Lists]

Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4

2020-03-08 06:43:29
On 2020-03-07 at 04:29 -0500, Viktor Dukhovni wrote:
Here opinions differ.  Trusting a CA that validates domain control as
weakly as Let's Encrypt would not be my choice.  But with half the
world trusting Let's Encrypt's "proofs" of domain control, you can
perhaps be comfortable in knowing that you're not alone...

If that's the concern, then tell Let's Encrypt which accounts are
allowed to issue certificates for your domain.

Eg, in the zonefile for `` I have:

@  CAA  0  issue ""
@  CAA  0  issue "\; 
@  CAA  0  issue "\; 
@  CAA  0  issue "\; 
@  CAA  0  issuewild ";"
@  CAA  0  iodef "mailto:security(_at_)spodhuis(_dot_)org"

See RFC 8657 for more on `accounturi`.

(Ignore my in-house CA ``; and I recommend comments in the
 zonefile or whatever you use, to index those account numbers and keep
 things straight.)


ietf-smtp mailing list