On 16/12/15 20:32, Phillip Hallam-Baker wrote: > On Wed, Dec 16, 2015 at 3:27 PM, Stephen Farrell > <[email protected]> wrote: >> >> >> On 16/12/15 20:11, Michael Wyraz wrote: >>> Stephen, >>> >>> I fear I have no idea what you mean with a "suffix list" and such. >> >> (Caveat: I'm very much an amateur at DNS issues, I hope someone >> else provides a better/more accurate response if one's needed.) >> >> Pretty much all mechanisms of the kind you envisage end up >> requiring a way to allow the "real" authority for a set of >> names to control what happens deeper in the hierarchy. So >> tcd.ie could decide what cs.tcd.ie are allowed to do with >> acme for example. That means you end up needing to know >> roughly where the zone cuts are, which is a hard problem >> in general. The public suffix list is how that's mostly >> done in the web and dbound is (an IETF activity) trying to >> tease apart the various uses of that. >> >> So one of the problems with what you suggest is that the >> "right" place to look for my web servers is two up in the >> hierarchy and not the public suffix and not one up. > > No, that isn't what we do for DV certs unless they are wildcard certs. > > You are not going to be issuing wildcard certs with this mousetrap > built in this particular way for a long time.
Right. But any proposal to use SRV for a DV-equivalent seems to me to open this can of worms. Feel free to write the I-D that shows that I'm wrong though as I may well be misinterpreting what Michael or you mean. S. > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme > _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
