> > In effect, the CNAME record would act like a long-term delegation
> > permitting the CA to issue continuously for the base domain. > > I can imagine that this introduces a new risk of domain > administrators "forgetting" about having made a long-term delegation > of _acme-challenge to the CA and unwittingly authorize an account > key to issue certificates for any name longer than intended. Any need > to mitigate this? It seems like each existing challenge type requires a user to prove continued ownership of the identifier to receive authorization. This challenge, however, is different: an action serves as proof of ownership until it is un-done. Hypothetical: how would we feel about an assisted-http-01 challenge that, analogously, provides users with an address to use in an HTTP redirect for resources under /.well-known/acme-challenge? The CA instruct subscribers to delegate the /.well-known/acme-challenge directory to a subdomain of the CA's hosted DNS domain. The assisted-http-01 challenge would then be validated like http-01, except: As the first step in validation, the CA would deploy the expected resource at 1234.challenges.ca.example.net. Then the CA would continue to perform a GET operation on the usual resource "GET example.com/.well-known/acme-challenge/...", which would redirect to 1234.challenges.ca.example.net/... In a way, fetching final resource would also be a formality: the CA could in theory stop once it saw the redirect pointed at the right location, though most likely abiding by the terms of the BRs would likewise require following the formal lookup steps. I think this hypothetical assisted-http-01 is a fair analog, but does not seem like something we would want to support. And given that, I'm not convinced the added complexity of automation or difficulty of protecting DNS credentials are sufficient to justify assisted-dns-01. Zach
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
