Hi,
even better it would be if it does not introduce an new record.
The challenge could be that the user sign an random token + random value
from him with an private key.
So CA send (token, challenges[...])
User reply (userToken, SIGNED(token,userToken),publicKey,"tlsa-311")
This has two advantages over the current model:
1) There is no dynamic update required
2) The CA can direct verify the challenge since the user can pre publish
the tlsa record.
3) It is not more insecure than any other dns-01, tls-sni-01 or http-01
since if he have controll
over the DNS he can select the ip.
4) It should be compatible with cname.
Gruß Thomas
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
