On 26/07/16 18:00, Peter Bowen wrote: > I don't see anything in the ACME specification that disallows this > at the protocol level. I think a CA could request you validate a > DNS identifier of 'example.com', then accept that authorization for > the issuance of 'ship.example.com'. Conversely, ACME does not > require CAs allow such and I hope it stays that way. CA policy > should be distinct from ACME.
Agreed that this should be a policy decision. It's worth pointing out, however, that prior drafts contained language that made it clear that it's a policy decision, which seems to have been removed in the acme-03 draft. It used to read: "It is up to the server's local policy to decide which names are acceptable in a certificate, given the authorizations that the server associates with the client's account key." Was this removed deliberately, or did it get lost as part of the "Application" change? I think it would make sense to add something like that to the CA Policy Considerations section, just to make it clear that this is indeed a policy decision (unless the WG thinks otherwise?) _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
