|
I'm not sure I understand why the section that describes HTTP
validation so specifically forbids using HTTPS. On the other hand, I
can think of use cases where I would want *only* HTTPS
authorization: - The server only supports HTTPS, and perhaps port 80 is blocked by a firewall. This situation applies to many REST endpoints. - I am migrating from a non-ACME to an ACME cert, and so the server has a perfectly valid HTTPS cert. Or migrating from one ACME CA to a different one. - I would like to ensure (using CAA records) that my CA is not subject to a DNS cache corruption attack - a threat that the ACME Security Considerations specifically mention. I would suggest that we specify a HTTPS validation that's exactly like http-01, except that it runs over authenticated HTTPS. Thanks, Yaron |
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
