On Thu, Dec 17, 2015 at 2:40 PM, Eric Mill <[email protected]> wrote:
> > On Thu, Dec 17, 2015 at 11:19 AM, Andrew Ayer <[email protected]> > wrote: > > Yes, but this forces users to do the work of adding a second CNAME that > points to the third party service, and prevents the service from doing it > themselves. > > The user base that would *benefit* from keeping the prefix consists of > users who want to CNAME their domain to a service (instead of full DNS > delegation) but who wish to obtain a cert themselves and then upload that > certificate to the service they've CNAMEd their domain to. That user base > sounds relatively small to me -- certainly smaller than the number of users > who currently use (or would use) custom domain support on third party > services. > > To me, it seems like we'll get more widespread use of ACME (and HTTPS > adoption) by allowing large services to just "flip the switch" for > everyone, rather than involving the user in this decision. > > So, I'm a wee bit concerned that taking the user out of the decision entirely will leave us in a place where the user doesn't have an easy way to withdraw approval for this. If a user transitions from the user base you are focused on to the one where they obtain the cert themselves, I'm not sure how that works. Put another way, I think we're tryin to make it easy for the user to get what they want; we're not trying to set it up so that they're not involved in deciding what they want. Just my personal opinion, Ted
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
