> On Mar 25, 2015, at 12:42 PM, John Mattsson <[email protected]> > wrote: > >> On 25 Mar 2015, at 13:24, Jonathan Rudenberg <[email protected]> wrote: >>> 7. Using any other method of confirmation, provided that the CA maintains >>> documented evidence that the method of confirmation establishes that the >>> Applicant is the Domain Name Registrant or has control over the FQDN to at >>> least the same level of assurance as those methods previously described. >> >> The current status quo is that many CAs allow “put this meta tag or text >> file on the HTTP server” as a challenge, which is *less* secure than the >> proposed DVSNI and Simple HTTPS challenge methods. > > Yes, but that CAs is doing something does not mean that IETF should > standardise or recommend something. I think DVSNI and Simple HTTPS challenge > methods are fundamentally different. In DVSNI and “put this meta tag or text > file on the HTTP server” the root of trust is being on-path. In the Simple > HTTPS challenge the root of trust is the HTTPS certificate.
I’m not clear on your definition of “on-path” and distinction between the two challenges. Both Simple HTTPS and DVSNI allow anyone who can respond to TCP connections to a domain to request a certificate for it. >> If the only automated challenge method available is DNS, this puts a *huge* >> damper on the usability of the system. > > I would prefer dropping DVSNI and only use Simple HTTPS and DNS. That would > damper the usability somewhat, but I think it’s worth it. But in the end it > boils done to what presenting a domain certificate is supposed to prove... > > The point that DNS configuration damper the usability indicates that > somebody should look at automatic DNS management as well…. Sure, but practically speaking this isn’t going to happen any time soon. Jonathan _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
