By this logic it should be allowed to obtain a certificate for any domain x.y.z.example.com. if you have an authorization for example.com. That might be justifiable, but it's a big divergence from the current design of the protocol.
I think given the current design of the protocol, it would be inconsistent to allow wildcard domains to be created due to a base domain authorization. On Sun, Jan 31, 2016 at 08:01:19PM +0100, Richard Körber wrote: > > > Perhaps the "hostname" field I proposed could support wildcards. If the > > server sends the client a challenge with a wildcard in the hostname, > > the client would need to be prepared to respond to the challenge on any > > hostname matching the wildcard. The CA can choose whether to send > > a challenge for "*.example.com" or just "example.com" when validating a > > wildcard authz for "*.example.com". > > I couldn't think of a situation where someone owns and controls a domain, but > would be unable to control any of the subdomains. > > So, wouldn't it be sufficient that for a wildcard domain (*.example.com), only > the domain itself (example.com) is challenged? > > -- > Richard Körber > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
