Responding to part of this. On Sun, Dec 13, 2020 at 3:47 PM Michael Richardson <[email protected]> wrote:
> > If a client is advertising multiple ADNs it can authorize, should the > > supported challenge type be per ADN? e.g. dns-01 and http-01 for > > foo1.foo2.bar.example.com but only dns-01 for example.com? Is this > > flexibility in any way useful, or just likely to lead to confusion > and > > implementation bugs? > > > For sure, the way the draft is currently written, if a client places > an > > order for a subdomain, and the server issues a single challenge for a > > parent ADN (which could be the BDN/Base Domain Name), then this will > > result in frequent failures as the client is not authorized to > control > > the parent ADN/BDN. > > I guess I'm also confused by why a client would issue an order for a > sub-domain for a domain it has not received authorization. > Obviously, an attacker might do that, but why wouldn't the order just be > rejected? I'm not sure what you mean here, could you explain? It sounds like you're suggesting that pre-authorization should be the only flow (that is, newAuthz before newOrder). However, newAuthz is optional (RFC 8555, Section 7.4.1), as also called out in the draft (draft-friel-acme-subdomains-03, Section 5.1). However, I suspect I'm misunderstanding your question?
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
