> On Dec 14, 2015, at 11:23 AM, James Cloos <[email protected]> wrote: > >>>>>> "JH" == Jacob Hoffman-Andrews <[email protected]> writes: > > JH> In general, publicly trusted CAs are supposed to verify that a name is > JH> available on the public Internet. > > Why? There is no value in doing that. > > There's value in confirming that the name isn't someone else's, but > dlv certs issuers only need to confirm that the requester has control of > the name or a non-public-suffix parent of that name to provide the level > of security they claim to provide. > > Creating certs for hostnames and service names which are only used > inernally and which are rooted in a zone name the requester controls > (so not things like local. or the like) is important, too. > > Wireless can be sniffed (are you certain that "wifi security" is secure) > and most lans have untrustable commercial devices on them.) > > Also, some machines inside the lan may ned to authenticate themselves to > machines outside; using the same cert for servier and client use is all > which some software supports. > > ACME isn't only about https.
Internal hostnames will probably be better served by setting up a behind-the-firewall ACME CA and using that. As LE/ACME get more mindshare, hopefully we'll see some turnkey solutions for this if they don't exist already. Applying blanket assumptions that proof of ownership of a domain applies recursively to all subdomains seems like it is a only a matter of time until it turns into a security risk, or at least would require careful interaction with the existing validators. --Noah
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
