On Fri, Oct 28, 2022, at 06:04, Ilari Liusvaara wrote: > It looks like the proposed dns-account-01 method would be very useful > here. The key problem of dns-01 here is that it only allows one > persistent authorization, whereas dns-account-01 allows multiple.
So relying on another authorization is going to work in a lot of cases, so using this is probably a good place to start. > The problem with coming up with variants of TLS-ALPN or whatever is that > it would require hooking in CA/Browser Forum into defining a new > validation method that can be used in the web. This sounds right to me. I'm not engaged in CA/BF, but I will give notice to those at Mozilla who are so that they are aware of this. It seems like some amount of responsiveness to changes in HTTP resolution practices could eventually need to be addressed in CA/BF, but my sense is that the degree to which legacy clients need basic A/AAAA+CNAME support means that there is no real urgency here. _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
