> > I think that if the original web server is not involved, then it's not > really > doing authorization.
The original web server for delegated http-01 challenges has the same level of involvement as a dns-01 challenge does with a CNAME today. In both cases, the challenge flow is immediately delegated to an independent server. The only difference is that for delegated http-01 the authoritative source is a web server whereas it’s a DNS server for dns-01. dns-01 is not really that difficult if you have the amount of control that > you'd need for your delegation. There are quite a few downsides of the dns-01 flow compared to http-01. As an example, http-01 validation can happen in less than a second, whereas DNS challenge propagation can take tens of seconds or even minutes. And with MPIC, this will be further degraded as propagation delay will be slowest out of N (even with a small N=3, this will shift p50 propagation delay to be the p80 of single perspective). On Mon, Jan 20, 2025 at 2:52 PM Michael Richardson <mcr+i...@sandelman.ca> wrote: > > Jared Crawford <jmcrawfor...@gmail.com> wrote: > > The 301 redirect works only for hostnames with publicly exposed > webservers. > > All other hosts have to deal with the downsides of dns-01 challenges > > compared to the http-01 flow. > > I think that if the original web server is not involved, then it's not > really > doing authorization. > > dns-01 is not really that difficult if you have the amount of control that > you'd need for your delegation. > > -- > Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > > >
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
