It would come at the expense of a more streamlined and secure approach (e.g. the ALPN proposal on the acme-wg list), which once standardized I assume Let's Encrypt (and other ACME CAs) would want to fully migrate to.
Alex On Mon, Jan 15, 2018 at 9:27 AM, Gervase Markham via dev-security-policy < [email protected]> wrote: > On 14/01/18 21:32, [email protected] wrote: > > We discussed a similar approach (using CAA) on our community forum, > > and concluded we don't want to pursue it at this time: > > https://community.letsencrypt.org/t/tls-sni-via-caa/50172. The TXT > > record would probably work more widely than CAA, but it would still > > be encouraging further integration with TLS-SNI-01, when we really > > want to encourage migration away from it. Right now it's our feeling > > that the account and renewal whitelisting should mitigate most of the > > pain of migrating away, but experience and feedback from subscribers > > will help inform that over time. > > Why would you want to continue migrating away if it were based on a > self-serve whitelist? Would that not re-secure the method? > > Gerv > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
