On Wed, Dec 16, 2015 at 8:38 AM, Stephen Farrell <[email protected]> wrote:
> > > On 16/12/15 12:20, Julian Dropmann wrote: > > If they trust you with that, they could just add an ACRE specific SRV > > (ACRE? You mean acme I guess.) > > > record, and thereby delegate that privilege to create certs to you and > > everything would be fine. > > Yes. They could. But they won't;-) > > And as it happens in my own specific case I don't want the ability > to get a cert for any name in the relevant zone, I only want to be > able to get and renew certs for the names of my web servers. So the > semantics of the thing you'd put in DNS (or the thing to which it'd > point) would likely end up quite complex. It'd end up much like an > RA is my guess, and I really don't think we want to go there yet > with acme. If the requirement is for an RA, you are not going to end up with a simpler protocol if you insist on giving people umbrellas instead. The reason the introduction of an RA simplifies the protocol is precisely because it removes the need to validate the RA for each cert issue. The RA validates once (a year), is issued a PKI credential and then uses that to authenticate each request. Stephen's situation is not typical of Enterprise but it is very typical of academic and SOHO environments. > They were able to do this with the A record too. > > > > I just do not find it intuitive in general that by defining any record > you > > do this implicitly as a domain owner. > > At least I personally was not expecting this, but maybe its just me that > is > > so stupid. > > > > And the question was not about whether you personally are legitimated to > > create certs for your university, but whether this should be the case for > > any host of every single zone. > > Not "any host" but any host that runs a web server and where the > entity requesting the cert demonstrates control over that web server. > I think that is fine in general myself. It all depends on what your requirements are. My immediate requirement is to make the certificate warnings 'go away' on my internal server boxen without me spending money. They are behind a NAT and there is no way to change that. The NAS boxes are running a version of Linux but the whole point of getting a package deal was to avoid maintenance issues. A proposal that requires me to write a half dozen scripts is not going to be any easier for me to manage than my current solution of a local CA whose root I install on every machine when I accept it into the network.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
