Hiya, On 15/12/15 15:17, Michael Wyraz wrote: >> Basically, IMO only after we first get a "now" that works > We have a working HTTP-01 spec, implementation and CA. What's missing > for "a 'now' that works"?
PKI management with automation that gets deployed and that provides interop between end entities and a range of CAs. The core stuff acme is doing is the missing bit. >> Personally the optional thing in which I'm much more interested is a >> simple put-challenge-in-DNS one where the CA pays attention to DNSSEC, >> since that's the use-case I have and that would provide some better >> assurance to the certs acquired via acme. I can see that there might >> also be value for some (other) folks in SRV if it means no need to >> dynamically change DNS. But, if someone is saying "we must all do >> these more complex things for security reasons" then they are, in this >> context, wrong. And my mail was reacting to just such a statement. > Why not just placing a static public key to DNS that is allowed to sign > ACME requests for this domain? Simple, no need for dynamic updates (yes, > it's standardized for years but AFAIK not seen very often in real world > scenarios). Once one can modify DNS at all then that can be yet another optional thing some folks might like I guess. I don't know how this WG can choose between all these various options in a meaningful manner tbh. I'm pretty sure that trying to do so now wouldn't necessarily be a good plan. I'd be for waiting and seeing how a few CAs running acme get on, and what real demands arise for more than the basic approach that doesn't need to modify DNS might be the right idea. (Even if that's goes against my own wish to have the DNSSEC based thing done soon.) But that's a question for the chairs and not me. S. > > Regards, > Michael. > > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme > _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
