Owen Friel (ofriel) <[email protected]> wrote: > The draft as is does not preclude http-01 challenges, but I agree that > the dns-01 challenge is more applicable.
I think that the draft should apply to dns-01 only.
I don't think that http-01 challenges are meaningful in this context, and may
in fact be risk having one tenant of a multi-tenant domain (e.g. domains like
"wix.com"), wind up with authorization for many things they shouldn't have.
(yes, for wix.com, this would probably require a second bug somewhere)
> If a client is advertising multiple ADNs it can authorize, should the
> supported challenge type be per ADN? e.g. dns-01 and http-01 for
> foo1.foo2.bar.example.com but only dns-01 for example.com? Is this
> flexibility in any way useful, or just likely to lead to confusion and
> implementation bugs?
> For sure, the way the draft is currently written, if a client places an
> order for a subdomain, and the server issues a single challenge for a
> parent ADN (which could be the BDN/Base Domain Name), then this will
> result in frequent failures as the client is not authorized to control
> the parent ADN/BDN.
I guess I'm also confused by why a client would issue an order for a
sub-domain for a domain it has not received authorization.
Obviously, an attacker might do that, but why wouldn't the order just be
rejected?
It seems like the client and server are expected to somehow guess where the
zone cuts are, rather than the client starting with that information in it's
configuration.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
