On Fri, Feb 23, 2018 at 04:41:20PM +0000, Stephen Farrell wrote:
> On 23/02/18 16:31, Salz, Rich wrote:
> > 
> >> Here is the ID:
> >> https://datatracker.ietf.org/doc/draft-shoemaker-acme-tls-alpn/
> > 
> > Should the WG adopt this document?  
> Yes.
> Having a sufficiently secure mechanism that works on port 443 is
> a good thing in general. I'm not sure how many folks were using
> tls-sni-01 for new domains (I was) but whatever that number was,
> is I think evidence that a port 443 scheme fills a read need.

Having port 443 scheme is handy if you have a webserver with
built in support for ACME (not having to mess with either port
80 or DNS for validation).

Apparently there are some users that are unwilling or unable to
open port 80. And DNS is hit or miss depending on provoder.

> I assume that if problems are found with the new mechanism
> (whether those be technical, due to odd deployments or I guess
> even cabforum politics;-) then we'd recognise that and stop
> the work. The fact that we did that to tls-sni-02 hould be
> re-assuring wrt this.

I think virtually all of the CABForum issues are associated
with being sceptical about security of schemes like this.


Acme mailing list

Reply via email to