On Sunday, 11 September 2016 23:42:18 UTC+1, Lee wrote:
> Me personally? Not at all. I'm just asking if they _do_ have DNSSEC
> for their domains is there a way to leverage that to get a cert via an
> encrypted channel or at least do the domain validation via an
> encrypted channel instead of using email or tcp port 80?
I don't remember what the situation was in the past. Certainly ballot 169
("modern") DV explicitly permits DNS to be used directly to validate control.
ACME provides a challenge dns-01 in which the applicant provisions a DNS TXT
record to prove they control the domain and are requesting the certificate.
Let's Encrypt implements (an earlier draft of) this challenge today, and if you
have DNSSEC it will perform correct DNSSEC verification. ACME itself is
performed over HTTPS to a named server operated by the CA. So in this scenario
all the steps are protected from a hypothetical Man-in-the-middle with ability
to subvert most parts of the network but NOT systems directly controlled by the
name owner, the registries, or the Certificate Authorities...
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
