On 7/20/16, 12:06 PM, "Salz, Rich" <[email protected]> wrote:
>> >I think this could work, but I believe there are use cases >> >(specifically, CDNs) where people do not want to advertise the >>delegation. >> >> I favor solutions where the relying party can be aware of the >>delegation if >> they want to be. > >FWIW, in the CDN case origin sites generally *do not* want the end-user >to be able to know. > >I'd think legitimate origin owner desire trumps general visibility. I am surprised enabling invisibility is a goal. Seems like we may want that option (which is always available via sharing a P12) but also ought have a means of enabling end clients to know delegation is in place while validating the domain owner authorized it. The McGrew TLS proxies paper from a few years ago may be a good option if TLS mods are on the table. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
