On Mon, Dec 14, 2015 at 5:58 PM, moparisthebest <[email protected]> wrote:
> On 12/14/2015 11:53 AM, Julian Dropmann wrote: > > > > >This effectively means, as a domain zone admin, I have to trust > every single service I define, not just to properly deliver this service, > but also not to exploit his ability to obtain signed certificates in my > name. > > > > Yes. > > > > > > And you are perfectly aware, that this was not the case before > > ACME-enabled CAs existed, and now applies to every single domain admin > > on this planet, right? > > It always applied before as well. In your example, your malicious blog > hoster could have just hosted un-encrypted xmpp on the default port as > well and xmpp clients that don't support SRV (which probably don't > exist? it's in the original RFC) would just happily connect there as > well, right? > Sure, they were able to provide malicious services under that domain, but not with a valid certificate. I think this is still a major difference.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
