-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello list,
On 07.12.2015 01:32, Manger, James wrote: >>> Ideally, it [Let's Encrypt] would use the IP of the requester >>> (of course only after it has verified that the IP is in the >>> DNS) or allow the requester to specify a preferred IP. > > This is quite a sensible feature request from Jonas. It supports > multiple servers for a domain while encouraging keys that are tied > to a single piece of hardware, without adding extra coordination > requirements. It doesn't feel too onerous for CAs to implement. Having the keys bound to a single piece of hardware (or administrative sub-domain) is also what we had in mind. Thank you for bringing that up in clearer wording. >> There's a fairly good solution available with the current >> protocol, which is to serve a (long lived) redirect from >> /.well-known/acme-challenge/ on all of the servers to a >> different URL that is always answered by the machine you run an >> ACME client on. > > This redirect-based workaround feels far from ideal. It assumes 1 > server does all the ACME bits, which discourages per-hardware > keys. It requires more coordination between servers (1 is > different; others need its IP; need some extra mechanism to > distribute key+cert once issued). We totally agree. The additional coordination overhead feels unnecessary and error prone. I am not at all familiar with the processes in an IETF WG. What is the way forward to get my proposal either into the protocol or officially dismissed? best regards, Jonas -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJWoMVYAAoJEMBiAyWXYliKmPwP/AhkeVsagYurFxAUdImIVDlB Dq8axBHes+WuZsYypmx7j1+zot4ljgZloxx6w//XfJyNyKdwNV1jrsFLBEELe3J9 kbcAYNZKO/DvN32GzluwF3yGqiovLCEsJ/DfRoIpcIzNSfCwutzR4h0vU9eZPjaR aAzUiyVF6rOz+eC1kIZuOvNRVXEOgSHWBiNiZMTsYSciiYls0jakGFmAN33O13Bi KJomFcQ8GWZJ261anTbLxgcGZYHFYjba4kZOShXX9VQnDkLrHC15aF0/afDZLjt5 ntSktX1JM+Qq1yN+FgJPPrk2B6JxvpS74um9DA8cwgMft+NU3hxpdwGaind3CVPp GqYcU0+Rm20mJOUYgJC3n/F6EnCeN75aQpZp82DLGoa5/oyCffgqJdcr4vcJfNk1 uI+8jmV13cgn0gzJUtWjHH09VUsaUfu6Da8QYhBKILYc+Lt2FgBNH/OVLiXyc/t9 eQKVdIMYZGxjsgE9oRGIG0qVXgloCB+N/5KSh/zUEt1WrqU2rJrtCF1wrk/zPvGa s2bh3DFCvf2GnPwDB3OrQzt3/1NpzLPKdccgvbAxUp1DAnrxeh3R1GHBji3k3dbj +8yPpaBaYstkB8rK9azCsvZ/D3jBIV5pv1LeMZ3oKCCmj2xDCk7kXonpKEAdruaR F2U+3WxFJbFMzpDocCIA =ftJz -----END PGP SIGNATURE----- _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
