On Fri, Dec 18, 2015 at 11:49 AM, Ted Hardie <[email protected]> wrote:
> On Thu, Dec 17, 2015 at 2:40 PM, Eric Mill <[email protected]> wrote: > >> >> To me, it seems like we'll get more widespread use of ACME (and HTTPS >> adoption) by allowing large services to just "flip the switch" for >> everyone, rather than involving the user in this decision. >> >> So, I'm a wee bit concerned that taking the user out of the decision > entirely will leave us in a place where the user doesn't have an easy way > to withdraw approval for this. If a user transitions from the user base > you are focused on to the one where they obtain the cert themselves, I'm > not sure how that works. > > Put another way, I think we're tryin to make it easy for the user to get > what they want; we're not trying to set it up so that they're not involved > in deciding what they want. > I meant this in a user-empowering way -- that users are able to get HTTPS established for them without them having to do any work, and services are able to roll out HTTPS support from a central vantage point without reaching out to existing user bases. If a user wants to withdraw approval, the CNAME is always theirs to revoke. The case of a user really liking a third party service, but for some reason really disliking that service's choice of an ACME-based CA, seems unusual to me and also something best left to market competition among services. Users don't generally care or review a third party service's choice of e.g. web server proxy, and the choice of CA is likely to belong in a similar bucket. -- Eric > > Just my personal opinion, > > Ted > > > > -- konklone.com | @konklone <https://twitter.com/konklone>
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
