Just a question (quick). You probably saw the relatively new CAA record for DNS. This (great) record provides a means to get the address of a CA for a given DNS domain. Firstly, it is unclear to me why the old SRV records are not used as they essentially do the same. You may think of creating an SRV record for _pkica.<domain> that would provide a CA's IP address. Then my question is : why is this SRV not used on linux boxes ? This would provide a means to retrieve automatically a certificate/public key for a given user and avoid setting configs (i.e. ldap.conf) on the client side. In other tertms, don't we need a CAA equivalent for Directories ?