Dear ACME Working Group, I hope this message finds you well. I am writing to propose an extension to the ACME protocol to enhance the http-01 challenge type by allowing delegation to direct validation requests to a designated server similar to what is possible for dns-01 challenges today via CNAMEs.
HTTP challenges provide a variety of benefits for each stakeholder when compared to DNS challenges. For accounts that manage many certificates, these benefits are more pronounced as certificate / validation lifetimes continue to shrink. These include - Centralized Management: Allows for centralized management of challenge responses, benefiting organizations managing multiple domains. - Reduced Exposure: Reduces the need for direct access to the domain's primary web server, particularly for hostnames behind VPNs or within corporate networks. - Performance: More performant than DNS-01, as the token can be instantly placed on the validation-specific server, allowing for synchronous certificate issuance. - Security: Avoids the risks associated with DNS API credentials. - Scalability: Enables parallelized validation of domains on distributed load balancers. This proposal allows for a centralized server for domain validation, addressing the challenge of validating domains hosted on servers within corporate networks that are not directly reachable by an ACME server. This method leverages the existing dns-01 challenge infrastructure to improve flexibility and performance. While I’ve included a rough I-D at jmcrawford45/draft-crawford-acme-delegated-http <https://github.com/jmcrawford45/draft-crawford-acme-delegated-http> of what a solution might look like. I am open to hearing other thoughts and suggestions on how to address this problem. Thank you for considering this proposal. I look forward to your feedback. Jared
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
