>>>>> "JH" == Jacob Hoffman-Andrews <[email protected]> writes:
JH> In general, publicly trusted CAs are supposed to verify that a name is JH> available on the public Internet. Why? There is no value in doing that. There's value in confirming that the name isn't someone else's, but dlv certs issuers only need to confirm that the requester has control of the name or a non-public-suffix parent of that name to provide the level of security they claim to provide. Creating certs for hostnames and service names which are only used inernally and which are rooted in a zone name the requester controls (so not things like local. or the like) is important, too. Wireless can be sniffed (are you certain that "wifi security" is secure) and most lans have untrustable commercial devices on them.) Also, some machines inside the lan may ned to authenticate themselves to machines outside; using the same cert for servier and client use is all which some software supports. ACME isn't only about https. -JimC -- James Cloos <[email protected]> OpenPGP: 0x997A9F17ED7DAEA6 _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
