On 12/14/2015 11:53 AM, Julian Dropmann wrote: > > >This effectively means, as a domain zone admin, I have to trust every > single service I define, not just to properly deliver this service, but also > not to exploit his ability to obtain signed certificates in my name. > > Yes. > > > And you are perfectly aware, that this was not the case before > ACME-enabled CAs existed, and now applies to every single domain admin > on this planet, right?
It always applied before as well. In your example, your malicious blog hoster could have just hosted un-encrypted xmpp on the default port as well and xmpp clients that don't support SRV (which probably don't exist? it's in the original RFC) would just happily connect there as well, right? _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
