On Tue, Jul 26, 2016 at 6:31 AM, Jostein Kjønigsen <[email protected]> wrote: > The scenario of wanting to issue certificates for specific hosts while at > the same time having a secondary subject (a top level DNS round robin for > redundancy) is a very normal use-case. One example would be IRC-servers. > > My request for the ACME would be: If I can prove I own the top level domain, > I should also be allowed to issue certs for any subdomain without need for > verification of those.
I don't see anything in the ACME specification that disallows this at the protocol level. I think a CA could request you validate a DNS identifier of 'example.com', then accept that authorization for the issuance of 'ship.example.com'. Conversely, ACME does not require CAs allow such and I hope it stays that way. CA policy should be distinct from ACME. Thanks, Peter _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
