On 26/11/15 11:27, Yoav Nir wrote: > >> On 26 Nov 2015, at 1:00 PM, Stephen Farrell >> <[email protected]> wrote: >> >> >> >> On 26/11/15 08:36, Eliot Lear wrote: >>> Yes. The real issue here is that the cert contains the hostname >>> and not the port. >> >> So one could define a new always-critical certificate extension >> saying that the cert is only for use with some set of ports. (Or >> maybe someone's already defined it, I forget;-) > > An extension - not that I know of, but as was mentioned in the other > thread, there’s the URI subject alternate name. However, no current > browsers look at this field, so the URI SAN provides no security from > the privilege escalation. OTOH a critical extension would block *all* > existing browsers from relying on such a certificate, with the only > remedy being “Let’s Not Encrypt”.
True. A port-specific cert would only work with updated browsers which I guess is a fairly fatal objection to the idea. Ah well. S > > It might be OK if the extension was added only to certificates issued > to those who could not meet the challenge on port 443, but I still > prefer to not go there. > > Yoav > > > _______________________________________________ Acme mailing list > [email protected] https://www.ietf.org/mailman/listinfo/acme > _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
