On Thu, Nov 12, 2015 at 10:11:12AM +0100, Romain Fliedel wrote: > > > This seems problematic, however. Changes to DNS can take time to > > propagate, and changes to DNS may involve manual intervention. If an > > authorization fails for any reason, the process has to be started again. > > +1 > To avoid the cache issue I'm using short TTL but it would be easier if > the DNS value was constant for a given account.
I think one would also have to include the endorsed EESPKI (End-Entity SubjectPublicKeyInfo, a.k.a. the server public key) too (or at least collision-resistant hash of it)? That should rarely change, so it should be quasi-constant. -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
