On Wed, Dec 16, 2015 at 3:27 PM, Stephen Farrell <[email protected]> wrote: > > > On 16/12/15 20:11, Michael Wyraz wrote: >> Stephen, >> >> I fear I have no idea what you mean with a "suffix list" and such. > > (Caveat: I'm very much an amateur at DNS issues, I hope someone > else provides a better/more accurate response if one's needed.) > > Pretty much all mechanisms of the kind you envisage end up > requiring a way to allow the "real" authority for a set of > names to control what happens deeper in the hierarchy. So > tcd.ie could decide what cs.tcd.ie are allowed to do with > acme for example. That means you end up needing to know > roughly where the zone cuts are, which is a hard problem > in general. The public suffix list is how that's mostly > done in the web and dbound is (an IETF activity) trying to > tease apart the various uses of that. > > So one of the problems with what you suggest is that the > "right" place to look for my web servers is two up in the > hierarchy and not the public suffix and not one up.
No, that isn't what we do for DV certs unless they are wildcard certs. You are not going to be issuing wildcard certs with this mousetrap built in this particular way for a long time. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
