On Sun, 31 Jan 2016 08:40:03 +0000 Hugo Landau <[email protected]> wrote:
> You misunderstand, perhaps I should clarify the wording; the server > never tells. You don't get to know the random subdomains it requests. > This ensures that the wildcard exists and is under control. > > Adding a requirement for base domain control would be fine but I don't > see the need. Ohhh, I see. Yes, I misunderstood. That seems secure and I agree the base domain doesn't need to be validated with that scheme. Perhaps the "hostname" field I proposed could support wildcards. If the server sends the client a challenge with a wildcard in the hostname, the client would need to be prepared to respond to the challenge on any hostname matching the wildcard. The CA can choose whether to send a challenge for "*.example.com" or just "example.com" when validating a wildcard authz for "*.example.com". That said, it seems like it might be hard for the client to complete the challenge when it doesn't know the exact hostnames. Apache and nginx support wildcards for matching virtual hosts, but do other web servers? DNS only supports wildcards in the left-most label, so there's no way to provision a TXT record for _acme-challenge.*.example.com unless you have a fancy DNS server. (Although I don't think this scheme is needed with DNS - I don't think there's a likely scenario where someone could set a TXT record for _acme-challenge.example.com, but not for _acme-challenge in any arbitrary sub-domain of example.com.) -- Andrew _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
