Certification Authority Authorization Processing for Email Addresses
RFC 9495, “Certification Authority Authorization Processing for Email Addresses”, is a Proposed Standard document published in October 2023 by C. Bonnell. The canonical text is published by the RFC Editor.
Abstract
The Certification Authority Authorization (CAA) DNS resource record (RR) provides a mechanism for domains to express the allowed set of Certification Authorities that are authorized to issue certificates for the domain. RFC 8659 contains the core CAA specification, where Property Tags that restrict the issuance of certificates that certify domain names are defined. This specification defines a Property Tag that grants authorization to Certification Authorities to issue certificates that contain the id-kp-emailProtection key purpose in the extendedKeyUsage extension and at least one rfc822Name value or otherName value of type id-on-SmtpUTF8Mailbox that includes the domain name in the subjectAltName extension.
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 9495 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.
- RFC 9494 Long-Lived Graceful Restart for BGP
- RFC 9496 The ristretto255 and decaf448 Groups
- RFC 9493 Subject Identifiers for Security Event Tokens
- RFC 9497 Oblivious Pseudorandom Functions Using Prime-Order Groups
- RFC 9492 OSPF Application-Specific Link Attributes
- RFC 9498 The GNU Name System
- RFC 9491 Integration of the Network Service Header and Segment Routing for Service Function Chaining
- RFC 9500 Standard Public Key Cryptography Test Keys