Currently, the DNS challenge uses a random token which changes every time an authorization is performed.
This seems problematic, however. Changes to DNS can take time to propagate, and changes to DNS may involve manual intervention. If an authorization fails for any reason, the process has to be started again. This seems like an obstacle to the automated acquisition and renewal of certificates which ACME is supposed to enable. Since what is ultimately desired is to authorize an account, wouldn't it make more sense to place in DNS not a random challenge response, but an unambiguous endorsement of a given account key to represent the domain? This could be reverified easily by subsequent authorizations. Hugo Landau _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
