On Thu, Apr 23, 2015 at 01:01:53PM -0400, Phillip Hallam-Baker wrote:
> Another point to consider here is the framing of the problem. People
> are discussing this as validating a certificate request. I think that
> is the wrong way to look at it. What we are doing is to validate the
> holdership of a DNS name. Which is not the same thing. That may be a
> component of a certificate validation process but it is not
> necessarily one that would apply to every certificate issue.
Amen.
> But looking at where we are likely to go with ACME, I think we could
> make a good case for 443 validation only right now and punt on the
> question of seamless issue for protocols on ports other than 443 where
> there isn't a connection to the Web server.
Agreed, and as you note even 443 checks are really not the right
proof of "holdership". So there'll be more work to do to flesh
out the whole architecture.
--
Viktor.
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
