On 11/25/2015 12:15 PM, Eric Rescorla wrote: > On Wed, Nov 25, 2015 at 9:14 AM, moparisthebest wrote: > Why shouldn't the client simply be able to tell the ACME server what > port to test, and the ACME server assume if the client has access to > ANY port on the server then it should be able to host ANY TLS service > on that server? > > Because this doesn't match operational reality on a number of shared > hosting systems.
That sounds like a problem for the sysadmin's who misconfigured those shared systems? A domain validated certificate doesn't and never has said "This entire machine is controlled solely by the domains specified in this certificate", instead it says "This particular service/port on this server is authorized by this domain to provide this service, however this machine or even this port (via SNI) could host plenty of other services/domains as well" _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
