On Thu, Oct 27, 2022 at 11:44:29AM -0500, Jeremy Saklad wrote: > > Right now, most of ACME’s validation methods can only be used by > clients with IP addresses in A/AAAA records corresponding to the > identifier, as well as specific open ports. This is perfectly > acceptable for most use cases right now, but it becomes problematic > when managing certificates for the likes of HTTP alternative services > or SVBC/HTTPS targets. Such configurations require a certificate for > the original identifier, but (usually) do not share the same IP > addresses. > > dns-01 sidesteps this limitation, but is often less secure since it > usually requires credentials for DNS zone modifications to be > accessible by clients. > > I don’t think it is too early to start thinking about more practical > solutions, in advance of draft-ietf-dnsop-svcb-httpssvc being > finalized. Perhaps a new form of TLS-ALPN method that uses an > SVBC/HTTPS record instead of 443/tcp and A/AAAA records? It would need > to ignore the normal precedence rules, as they would preclude lower- > priority targets from getting certificates.
It looks like the proposed dns-account-01 method would be very useful here. The key problem of dns-01 here is that it only allows one persistent authorization, whereas dns-account-01 allows multiple. dns-01 (and dns-account-01) does chase CNAMEs, so one can CNAME the validation name to another zone, that can then be set up to be zone for ACME instead of standard DNS zone (one issue is that this pretty much requires either IPv6 or nasty hacks). The problem with coming up with variants of TLS-ALPN or whatever is that it would require hooking in CA/Browser Forum into defining a new validation method that can be used in the web. Back when HTTP-01 and TLS-ALPN-01 were defined, they did fall into previously approved validation methods at the time, avoiding need to loop in CABF (the two did later become methods of their own in BRs). -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
