> On Dec 15, 2015, at 7:17 AM, Michael Wyraz <[email protected]> wrote: > > Stephen, >> Yes, I understand that and didn't actually refer to LE at all in my mail. > I'm sorry if I missunderstood you with that. > >> Basically, IMO only after we first get a "now" that works > We have a working HTTP-01 spec, implementation and CA. What's missing > for "a 'now' that works"? > >> Personally the optional thing in which I'm much more interested is a >> simple put-challenge-in-DNS one where the CA pays attention to DNSSEC, >> since that's the use-case I have and that would provide some better >> assurance to the certs acquired via acme. I can see that there might >> also be value for some (other) folks in SRV if it means no need to >> dynamically change DNS. But, if someone is saying "we must all do >> these more complex things for security reasons" then they are, in this >> context, wrong. And my mail was reacting to just such a statement. > Why not just placing a static public key to DNS that is allowed to sign > ACME requests for this domain? Simple, no need for dynamic updates (yes, > it's standardized for years but AFAIK not seen very often in real world > scenarios).
Anything that makes deployment _harder_ than the current LE client is a move in the wrong direction. UX matters, with security more than just about anything else. Unless you can propose a user flow to go with this change, no amount of hypothetical correctness is worth having a tool no one will use. --Noah
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
