On Mon, Nov 13, 2017 at 11:31:49AM +0100, Sebastian Nielsen wrote: > First, I want to make a suggestion, and that is possibility for a permanent > domain authorization. > > The CABF says that it is permitted to use SPKI hash or CSR hash as > authentication token, without any nonce.
Such token would be valid for one use only unless timestamped. And even if timestamped, it would be limited to 30 days at most. > Since SPKI hash is static for the same public key, and the CSR hash is > static if you use the same CSR all the time, it would be permitted as a > pre-authorization. The token would still change, see above. > Thus avoiding a unnecessary restart of the name server each renew. Use DNS dynamic updates. There is 20 year old RFC(!) describing one way of doing that. And then there are many DNS-server specific ways. And automating DNS-01 requires such API anyway. If talking about HTTP-01, it does not require server restart/reload in anything I know of. And TLS-SNI-02 is insane without special server support (which presumably eliminates restarts/reloads too). -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
