<div dir="ltr">Agreed, I look forward to discussing this with the whole group.<div><br></div><div>In general I strongly approve of having CAA checks for all forms of issuance. However, this version of CAA (implemented as a new second layer hidden service descriptor) requires the CA to operate a Tor Client in order to inspect it. This (in my opinion) completely obviates the benefits of the proposed "onion-csr-01" method (equivalent to the current BRs Appendix B 2.b. method) -- namely that the whole validation process can be conducted without the CA operating a Tor client to reach out to the onion service in question. I believe that requiring CAA checks <i>of this form</i> will prevent adoption / implementation by CAs, and thus defeats the purpose of the draft.</div><div><br></div><div>Aaron</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jul 27, 2023 at 10:40 AM Tim Hollebeek via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg8647417980306828128">
<div lang="EN-US" style="overflow-wrap: break-word;">
<div class="m_8647417980306828128WordSection1">
<p class="MsoNormal">Hello Q,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">My opinion is that this would be a great discussion to have at an upcoming meeting of the Validation Subcommittee.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">-Tim<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div style="border-top:none;border-right:none;border-bottom:none;border-left:1.5pt solid blue;padding:0in 0in 0in 4pt">
<div>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span>From:</span></b><span> Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Dean Coclin via Servercert-wg<br>
<b>Sent:</b> Wednesday, July 26, 2023 7:22 PM<br>
<b>To:</b> <a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a><br>
<b>Subject:</b> [Servercert-wg] Message<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">One of the new Interested Party members tried to post to the group but it bounced. I’ve asked Wayne to look at it but in the meantime, I’m reposting the message for him:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I'd like to start some discussion on the WG's opinions of CAA for Tor hidden services, using my
<a href="https://url.avanan.click/v2/___https:/e.as207960.net/w4bdyj/cNl2iFrs___.YXAzOmRpZ2ljZXJ0OmE6bzpkYjQ2NzJkNWY3YjUxMTJiZmQxNjNmYTk2NTBhZjhkMzo2OjQyMTU6MDk0MWNmODEyMzRiODQ1NDJmNDQ3ZDM3ZGVlYTJlMTllMjg2YTJmMTc2NWMwODE1ZmY4ODhiNGFlOGMzZTEwZjpoOkY" title="Protected by Avanan: https://e.as207960.net/w4bdyj/cNl2iFrs" target="_blank">
draft-ietf-acme-onion</a> and my Tor Spec proposal<span class="m_8647417980306828128gmail-apple-converted-space"> </span><a href="https://url.avanan.click/v2/___https:/e.as207960.net/w4bdyj/YAae97pn___.YXAzOmRpZ2ljZXJ0OmE6bzpkYjQ2NzJkNWY3YjUxMTJiZmQxNjNmYTk2NTBhZjhkMzo2OjBmOGU6NjBhMWYzOTE5ZDVkYmQ1Y2EzZjJkZDA5NTVmZDA1ZjZmNzY2NjdlOGFhOTk2NmUxMTU4M2I1MGZlZWMwNWQwYjpoOkY" title="Protected by Avanan: https://e.as207960.net/w4bdyj/YAae97pn" target="_blank">343-rend-caa</a>,
as part of the<span class="m_8647417980306828128gmail-apple-converted-space"> </span><a href="https://url.avanan.click/v2/___https:/e.as207960.net/w4bdyj/wi4TBMXN___.YXAzOmRpZ2ljZXJ0OmE6bzpkYjQ2NzJkNWY3YjUxMTJiZmQxNjNmYTk2NTBhZjhkMzo2OjQ4NDU6ZjExMjlmOGQzNWZjZjNhZGNjMDhlZWVhZDRlNmQyODBhMTAzOTJiMjUzMWExYjM1OGEzZTJmODAyZDFlMGQzMzpoOkY" title="Protected by Avanan: https://e.as207960.net/w4bdyj/wi4TBMXN" target="_blank">ACME
for Onions</a><span class="m_8647417980306828128gmail-apple-converted-space"> </span>project.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Specifically:<u></u><u></u></p>
<p class="MsoNormal">- is this something the WG likes?<u></u><u></u></p>
<p class="MsoNormal">- should CAA checking be required for Tor?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
<p class="MsoNormal">Q Misell<u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:12pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:12pt"><u></u> <u></u></span></p>
<div>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif;color:rgb(72,86,94)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif;color:rgb(72,86,94)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</div></blockquote></div>