Stephen, > Yes, I understand that and didn't actually refer to LE at all in my mail. I'm sorry if I missunderstood you with that.
> Basically, IMO only after we first get a "now" that works We have a working HTTP-01 spec, implementation and CA. What's missing for "a 'now' that works"? > Personally the optional thing in which I'm much more interested is a > simple put-challenge-in-DNS one where the CA pays attention to DNSSEC, > since that's the use-case I have and that would provide some better > assurance to the certs acquired via acme. I can see that there might > also be value for some (other) folks in SRV if it means no need to > dynamically change DNS. But, if someone is saying "we must all do > these more complex things for security reasons" then they are, in this > context, wrong. And my mail was reacting to just such a statement. Why not just placing a static public key to DNS that is allowed to sign ACME requests for this domain? Simple, no need for dynamic updates (yes, it's standardized for years but AFAIK not seen very often in real world scenarios). Regards, Michael. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
