Oops, should both be mydomain.com ;-) > did you mean mydomain.com <http://mydomain.com> and domain.com > <http://domain.com>, two entirely separate SLDs? > > On Wed, Dec 16, 2015 at 2:29 PM, Michael Wyraz <[email protected] > <mailto:[email protected]>> wrote: > > > >> Either limit the certificate to be only usable from that origin > it has been > >> verified from, or somehow get the consent of the domain owner. > If not by > >> changing DNS config, it might involve some other mechanism. > > I think you are somewhat confused. Certificates are not for full > > zones, they only name specific FQDNs. So a certificate for > > "example.com <http://example.com>" is not valid for > www.example.com <http://www.example.com> or foo.example.com > <http://foo.example.com>. > > Similarly, beta.example.com <http://beta.example.com> is not > good for example.com <http://example.com> or > > www.beta.example.com <http://www.beta.example.com>. > > > Peter, I think you missunderstood him. This is not about zones or > FQDNs. > It's about the fact that one who can create a cert for > mydomain.com <http://mydomain.com> via > http-01 (because A-record delegates to him) can use this cert for > every > service at domain.com <http://domain.com>, even when they are > located elsewhere (e.g. via MX > or SRV). > > > > > > _______________________________________________ > Acme mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/acme > > > > > -- > konklone.com <https://konklone.com> | @konklone > <https://twitter.com/konklone>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
