now I read it once again, I find in-band caa make less sense and just
onion-csr challenge bypass CAA records:
as current status CAA nor CAA-critical posted won't ensure there will be
no certificate because you can bypass with in-band projection from CA
without Tor client, and they won't read
> Well if CA is willing to run tor In house they can read caa record tor
network (CA/B br forbids using external proxy to access tor website for
verification purpose) and for onion challenge it already have the key to
sign this on demand.
Good point, I evidently had not thought through things
well if CA is willing to run tor In house they can read caa record tor network
(CA/B br forbids using external proxy to access tor website for verification
perpose) and for onion challenge it already have the key to sign this on demand
and it's kinda vague when acme server are running tor client
The rationale for expiry is that in the case of http-01 or tls-alpn-01 the
ACME client need not have access to the Onion service's secret key. A long
lived CAA signature could be generated with the key, provided to the ACME
client to use, and the key could be kept away from the ACME client and