> On 26 Nov 2015, at 1:00 PM, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: > > > > On 26/11/15 08:36, Eliot Lear wrote: >> Yes. The real issue here is that the cert contains the hostname and not >> the port. > > So one could define a new always-critical certificate extension > saying that the cert is only for use with some set of ports. (Or > maybe someone's already defined it, I forget;-)
An extension - not that I know of, but as was mentioned in the other thread, there’s the URI subject alternate name. However, no current browsers look at this field, so the URI SAN provides no security from the privilege escalation. OTOH a critical extension would block *all* existing browsers from relying on such a certificate, with the only remedy being “Let’s Not Encrypt”. It might be OK if the extension was added only to certificates issued to those who could not meet the challenge on port 443, but I still prefer to not go there. Yoav _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme