<zhangt...@mails.tsinghua.edu.cn> wrote:
> If both conditions are met, the CA proceeds with certificate issuance
> according to the standard ACME protocol. If the IP addresses do not
> match, the CA terminates the connection, as this may indicate a
> compromised ACME account.
So if the client is behind NAT44 or NAT64, then it will always fail this check.
{There are many situations where dns-01 authorization challenges are used
because the relevant server is not publically reachable, but is reachable by
name to the clients that need to reach it.}
How is this evidence of a compromised *account*?
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
