RFC8555 already addresses wildcards, no? Deb Cooley ACME chair [email protected]
On Tue, Jan 31, 2023 at 7:11 AM Yanlei(Ray) <ray.yanlei= [email protected]> wrote: > Hi, > > > > I'm new to this group and sorry for the late comment. I just saw this > draft and have an idea after reading. I'd like to know from you experts > whether it's reasonable. > > > > The illustration in Section 5 uses Subject Alternative Name (SAN) to list > every subdomain name in a certificate. > > I wonder if this mechanism can be replaced by using a wildcard certificate? > > Compared with using the Subject Alternative Name (SAN), a wildcard > certificate can simplify the complexity and reduce the costs for securing a > number of subdomains. > > As the sub-domain name changes, the client with SAN has to re-apply its > certificate, but the client with wildcard certificate does not need to > change its certificate. > > I think wildcard certificates have been commonly used in subdomains > management. > > As illustrated in Section 5: > > +--------+ +------+ +-----+ > > | Client | | ACME | | DNS | > > +---+----+ +---+--+ +--+--+ > > | | | > > STEP 1: Pre-Authorization of ancestor domain > > | . | | > > | . | | > > | . | | > > STEP 2: Place order for sub1.example.org > > | . | | > > | . | | > > | . | | > > STEP 3: Place order for sub2.example.org. > > | . | | > > | . | | > > | . | | > > > > If there are multiple subdomains, the client has to place an order > multiple times for every subdomain. > > If using a wildcard certificate, the client only needs to place an order > once for the wildcard certificate. > > Then the client can configure its subdomain servers with the same wildcard > certificate. > > +--------+ +------+ +-----+ > > | Client | | ACME | | DNS | > > +---+----+ +---+--+ +--+--+ > > | | | > > STEP 1: Pre-Authorization of ancestor domain > > | . | | > > | . | | > > | . | | > > STEP 2: Place order for *.example.org | > > | | | > > > > > > This is just a preliminary idea, and please correct me if I'm thinking > wrongly. > > > > Regards, > > Lei YAN > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
