On the use of OIDs to signify the Blessed Method used for validation I thought it can't hurt to mention the first obstacle for this idea which occurred to me in respect of Let's Encrypt (and more generally any CA importing ACME I think)
Suppose an applicant asks for www.example.com, images.example.com and www.example.org. They demonstrate control over www.example.com using files in .well-known/ (sorry I'm writing this on my phone in a hotel room, don't have BR section numbers in front of me) but use DNS to show control over www.example.org... Which OID goes in this certificate? Both of them? There are arbitrarily more complicated examples along these lines, all worth a bit of thought before setting off I think. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
