On Mon, Mar 21, 2016 at 3:43 PM, Ilari Liusvaara <[email protected]> wrote:
> On Mon, Mar 21, 2016 at 03:36:49PM -0400, Richard Barnes wrote: > > Having the token also lets the validation server operator specify which > > names the key is being authorized for. I might have virtual hosting box > > with 200 names on it; I don't want to authorize any given key for all of > > them. > > Huh? Aren't authorization lookups inherently per-name (outside ones > specifically desinged to cover multiple names), so admins/servers can > authorize keys on per-name basis? > Sort of. The query does specify the name (as Host header or QNAME), but you can certainly imagine scenarios where people make symlinks or CNAMEs for convenience, and that would have bad consequences if the challenge response is not specific to an authorization transaction. Likewise, you could imagine that a website owner might want some control on which CAs issue (beyond CAA), and the transaction binding (via the token) also provides that. --Richard > > > -Ilari >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
