I wrote together some thoughts on this proposal here[1]. In short, I think it's vulnerable to the default vhost attack that caused simpleHTTP to be dropped, and it's not compatible with the "Agreed-Upon Change to Website" method described in the BRs, which would prevent adoption by any publicly-trusted CA.
The proposed workaround for this issue[2] would make this a variant of tls-sni, AIUI, which already has these pseudo-hostnames, so I think we're down to "allow other ports" here, and I believe there's consensus against this. Patrick [1]: https://mailarchive.ietf.org/arch/msg/acme/QiXu84RJtURfGVVEYfSpRdtcU5o [2]: https://mailarchive.ietf.org/arch/msg/acme/NFKJ5sqBePGlJglKRwodc5m4ZEo On Sat, Dec 3, 2016 at 3:18 AM, Salz, Rich <[email protected]> wrote: > With the couple of recent pull requests, the document editors are about to > close all but on issue, #215. > > > > Does the WG have any feelings on this? Is it something we need to address > NOW, or can we add a new type of challenge later on if there’s interest? > > > > Please reply on-list by earl next week. > > > > -- > > Senior Architect, Akamai Technologies > > Member, OpenSSL Dev Team > > IM: [email protected] Twitter: RichSalz > > > > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme > _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
