There is a slight disconnect with the current specification between
identifiers in newOrder/newAuthz requests and identifiers in authorization
objects. The former is allowed to include wildcard domains in the value of
DNS type identifiers while the latter is forbidden.
Let's Encrypt's implementation of ACME wildcard issuance guessed this might
lead to confusion and introduced a non-standardized "Wildcard" boolean
field in authorization objects. If true, then the identifier value in the
authorization identifier is known to be the base domain corresponding to a
wildcard identifier from the newOrder/newAuthz request.
I think it would be beneficial to the entire ecosystem if this optional
"wildcard" authz field could be standardized so I've sent a small PR:
https://github.com/ietf-wg-acme/acme/pull/402 Both Certbot and ACME4J have
independently bumped into this disconnect, which helps justify the need.
- Daniel / cpu
Acme mailing list