> On Sep 11, 2020, at 9:08 AM, Simon Ser <cont...@emersion.fr> wrote: > > For instance, it would be possible to require users to add a short public key > in a DNS TXT record, then ask the ACME client to sign challenges with that > key. > Something like this would significantly ease the development of ACME clients.
This would seem to introduce a new vector--key compromise--for being able to impersonate the domain, wouldn’t it? Such an authz method would be proving not access to the domain itself, but access to the key, and would be vulnerable to local misconfigurations. It seems thus not dissimilar to the erstwhile problem with tls-sni-01/02. -F _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme