Hi, Perhaps the following has been discussed before (although I wasn't able to find it, then); in that case, please let me know, and we can close the thread.
I read the draft and think it is a good idea and well done. However, I was wondering: What if there is a public suffix between the subdomain for which a certificate is requested, and the parent domain used for validation? Let's work through an example. You may be familiar with the (non-official) eu.org registry, which runs several public suffixes under which one can register domain names. These public suffixes appear on the public suffix list (e.g. de.eu.org). Now, should it be possible for the DNS admin of eu.org to request a certificate for example.de.eu.org (or subdomains thereof) through the mechanism described in the draft, although there is a public suffix in between? (I don't think so.) If this should be prevented, the corresponding public suffix check needs to be mandatory. (However, I'm not sure if it needs to be in this draft, or in the CA/B guidelines.) What do you think? Thanks, Peter -- https://desec.io/ _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
