> >This effectively means, as a domain zone admin, I have to trust every > single service I define, not just to properly deliver this service, but > also not to exploit his ability to obtain signed certificates in my name. > > Yes.
And you are perfectly aware, that this was not the case before ACME-enabled CAs existed, and now applies to every single domain admin on this planet, right? > >Also you rely on the fact that on UNIX only root can bind on port 80 and > 443. > > Not for *security* but for connectivity. That is an important difference. > If it was not for security, then why not allow other ports, so you can verify the ownership while for example an application server is bound to that port? The A record does not specify the port anyway.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
