I have seen the BR, and what I understand, the purpose of BRs are to provide a specific security goal. In this case, to prevent someone from aquiring control of a domain, and then subsuquently, after losing control of said domain, being able to still renew and reissue certificates for said domain.
If the same security goal can be implemented using another method, my understanding is that its acceptable, provided that method provides equal or greater security than one of the accepted methods in BR right? Think like "compensating controls" in PCI/DSS. -----Ursprungligt meddelande----- Från: Tim Hollebeek [mailto:[email protected]] Skickat: den 23 januari 2018 17:54 Till: Sebastian Nielsen <[email protected]>; 'Jacob Hoffman-Andrews' <[email protected]>; [email protected] Ämne: RE: Re: [Acme] Assisted-DNS challenge type [invalid signature!] [invalid signature!] > I think that it could be acceptable to "reuse" an old validation provided > WHOIS > is checked right? > Eg, if a hash is made of all the WHOIS data, and all the WHOIS data stays > identical from last validation, then theres proof that control of domain has > not > shifted in the meantime, which is the main reason to implement random > challenge checks. No. See the BRs for what "reuse" means. People have to stop re-interpreting the BRs to mean what they want them to mean. You don't get to make up your own methods that satisfy whatever "main reason" that you believe motivates the requirements. That's method 11, which we spent over a year removing (and for good reason). -Tim
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
