On Sat, Aug 6, 2016 at 11:11 AM, Jacob Hoffman-Andrews <[email protected]> wrote: > The CA/Browser Forum's recent Ballot 169 specifies that validating control > of a base domain is sufficient to issue a wildcard. But I think folks have > have expressed a feeling that that's not strong enough. ACME hasn't > hesitated to take a stance on challenge methods. Similarly I think it would > be worthwhile to say "this is the default ACME way to get a wildcard, but > you can also use out-of-band methods."
ACME describes possible validation methods but does not tell any CA what they _must_ use. I think it is valid, under the current draft, for a CA to only support out-of-band methods, right? If ACME wants to specify a validation method for wildcards, then it should be an option for CAs. However, as you say, the CA can always perform some other ritual and then expose the validation to the client as an out of band authorization. Or at least can in the current draft. Thanks, Peter _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
