On Wed, Dec 16, 2015 at 2:38 PM, Stephen Farrell <[email protected]> wrote:
> > > On 16/12/15 12:20, Julian Dropmann wrote: > > If they trust you with that, they could just add an ACRE specific SRV > > (ACRE? You mean acme I guess.) > > > record, and thereby delegate that privilege to create certs to you and > > everything would be fine. > > Yes. They could. But they won't;-) > Why this should not be your problem then? > > And as it happens in my own specific case I don't want the ability > to get a cert for any name in the relevant zone, I only want to be > able to get and renew certs for the names of my web servers. So the > semantics of the thing you'd put in DNS (or the thing to which it'd > point) would likely end up quite complex. It'd end up much like an > RA is my guess, and I really don't think we want to go there yet > with acme. > I was not saying that you should be able to create wildcards certs or certs for sub-zones. The problem is quite clear: Under one single zone (excluding sub-zones) or name (I am not sure if I am using the correct terms here) there can be multiple services (A, MX, SRV, etc). So even if you only create certs for your webserver, you could use that for other services. > > > They were able to do this with the A record too. > > > > I just do not find it intuitive in general that by defining any record > you > > do this implicitly as a domain owner. > > At least I personally was not expecting this, but maybe its just me that > is > > so stupid. > > > > And the question was not about whether you personally are legitimated to > > create certs for your university, but whether this should be the case for > > any host of every single zone. > > Not "any host" but any host that runs a web server and where the > entity requesting the cert demonstrates control over that web server. > I think that is fine in general myself. > Let me rephrase that question one more time: How should I have known that its a bad idea to put my weblog under the same zone/name as other private stuff like email, xmpp and such, if I do not control it (ALL) by myself? Is there any prior work / RFC which hints that all those services of one zone basically belong to one entity, and can "speak" for each other?
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
