So, a user is likely to control multiple servers accessible via DNS. It would be helpful if the user had a way to manage revocation for all DNS names from a single key. Such a key would be usable for revocation w/o being usable for requesting issuance of new certificates.
Perhaps that isn't sufficiently useful. Today I have quite a few servers, because of the default design each server has its own key id. Say I'd like to consolidate all of my identities into a single account. There doesn't seem to be any particular way for me to do that either. I could of course copy over a key I have, use it to generate a replacement certificate, and then have my server revoke the certificates issued to the prior key, that's awkward, and I'm not sure I want my certificate history to show that I revoked certificates. (From a review perspective, I haven't gotten to the revocation portion of the specification.) Lastly, I have no idea if it's a good or bad thing for me to consolidate accounts. _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme