After RFC8823 I though it would be trivial to apply its process for TLS
certificate by verify email of various authoized Email address (like
[email protected] or email set by Whois/CAA/TXT etc...) but there is a
problem: it's sending mail when server reply the authorization, even if
client has no intend to use those kind of challenge. while this could be
used as a warning mail for someone try to validate your domain, this is
not a expected result. and even in S/Mime context if we ever made some
other type of challenge while server still support email-reply-00, it
will send two mail for both type of challenge message to mailing address.
I think there is two way to 'arming' a challenge with a side effect:
1. Make challenge that doesn't boot up until client respond to
challenge first time. it will obviously fail because client doesn't
get needed info to validate, but let challenge retry mechanism to
handle that
2. same with 1, but use some custom payload like 'run' or
something. we can do that when we make a new challenge protocol
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
