>> Either limit the certificate to be only usable from that origin it has been >> verified from, or somehow get the consent of the domain owner. If not by >> changing DNS config, it might involve some other mechanism. > I think you are somewhat confused. Certificates are not for full > zones, they only name specific FQDNs. So a certificate for > "example.com" is not valid for www.example.com or foo.example.com. > Similarly, beta.example.com is not good for example.com or > www.beta.example.com. > Peter, I think you missunderstood him. This is not about zones or FQDNs. It's about the fact that one who can create a cert for mydomain.com via http-01 (because A-record delegates to him) can use this cert for every service at domain.com, even when they are located elsewhere (e.g. via MX or SRV).
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
