On Thu, Jul 20, 2017 at 1:42 AM, Niklas Keller <m...@kelunik.com> wrote: > > They can also just request them themselves, but only for their mirror > domain. If you allow them to issue for www.php.net, you can as well just > put the current private key there. >
I think there is a big difference between putting the private key there and proxying validation for just a www.php.net CN alias. We already have a list of known mirrors, so we would make sure to only validate www.php.net for those. By validating www.php.net we allow any mirror to pretend they are www.php.net and no other *.php.net domain, which is exactly what we want. -Rasmus
