On Sat, Aug 6, 2016 at 10:36 AM, Jacob Hoffman-Andrews <[email protected]> wrote: > > > I also think EKR's comment that we need the ability to authorize domain > names without immediately issuing is a solid one*. So I think we should > take the conservative approach and roll back the new-application flow > for now. I do think we should document wildcard validation before we > finalize the spec, but new-application may not be the best way to do that. > > *Eric, would you mind repeating what you said for the benefit of the > list? All we have right now are the notes and Richard's paraphrase.
To the best of my memory, my comment was that I thought it was unfortunate that in order to register a domain you would have to generate a valid CSR and potentially actually get it issued. This is especially true if the key you plan to use for authorization is of a type you never intend to issue into an EE (e.g., you are authorizing with Ed255159 but you are planning to issue ECDSA and RSA). And it may not be possible to make these align if you have various restrictions due to HSMs. -Ekr
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
