The CA/Browser Forum has voted (Ballot SC-098v2) to make ACME CAA extensions mandatory for all Certificate Authorities starting March 2027. ACME CAA extensions, defined in RFC 8657, allow domain owners to lock certificate issuance to a specific ACME account and restrict validation to DNS-based methods only. When combined with DNSSEC (already mandatory for domain validation since March 2026), this closes the remaining security gaps in Web PKI by ensuring all domain validation is cryptographically secure. CAs like Let's Encrypt and Google Trust Services already support the feature, and Chrome's Root Program Policy has required ACME CAA support since February 2026. The change enables high-assurance certificate issuance for high-profile websites that face serious threats.
Table of contents
Cryptography & Security NewsletterConvergence of DNSSEC and Web PKIWeaknesses at the Root of Web PKICertification Authority AuthorizationWhat Does This Do?Can We Use ACME CAA Extensions Now?Post-Quantum CryptographyCryptographyPrivacyPKISecuritySort: