> I agree that getting things started I very important for lets encrypt. > But in my understanding, this is the mailing list for discussing the ACME > protocol, not the 1st implementation of it. So shouldn't we think/discuss > what comes after "now"?
I agree it is important to distinguish between LE and ACME. But it is also important to realize that we are going for something that works in ACME-1, and that is acceptable to the Web PKI. We have tried, many times, to make something that is totally correct and "better." Certificates, right now, have no way to identify themselves as being limited to a specific TCP/IP port, be it IETF well-known or otherwise. Therefore, attempts to constrain this protocol so that it can only be used to get certificates that way seems, ultimately, not worthwhile at this point. If someone like the CABForum or a new IETF WG (PKIX-bis anyone?) defined an extension that said "this certificate is only used for HTTPS" then, an ACME-2 challenge that could get such certificates make sense. -- Senior Architect, Akamai Technologies IM: [email protected] Twitter: RichSalz _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
