The latest CAB forum guidelines stipulate that: 1) Demonstration of control of a CNAME for the given FQDN can suffice for authorization.
2) “The CA may prune zero or more labels from left to right until encountering a Base Domain Name and may use any one of the intermediate values for the purpose of domain validation.” ----- ACME doesn’t seem to build in the flexibility to make use of either of these options. Was this by design? I know in the case of HTTP-based validation, Let’s Encrypt, at least, consciously decided not to consider demonstration of control of a parent domain to imply control of a subdomain (with wildcards, anyhow), but at least for DNS-based DCV should demonstration of control of “example.com” not imply control of “foo.bar.example.com” for the purposes of authorization? -FG _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme