The latest CAB forum guidelines stipulate that:

1) Demonstration of control of a CNAME for the given FQDN can suffice for 

2) “The CA may prune zero or more labels from left to right until encountering 
a Base Domain Name and may use any one of the intermediate values for the 
purpose of domain validation.”


ACME doesn’t seem to build in the flexibility to make use of either of these 
options. Was this by design?

I know in the case of HTTP-based validation, Let’s Encrypt, at least, 
consciously decided not to consider demonstration of control of a parent domain 
to imply control of a subdomain (with wildcards, anyhow), but at least for 
DNS-based DCV should demonstration of control of “” not imply 
control of “” for the purposes of authorization?

Acme mailing list

Reply via email to