Re: [Acme] Support for domains with redundant but not immediately synchronized servers

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello list, On 07.12.2015 01:32, Manger, James wrote: >>> Ideally, it [Let's Encrypt] would use the IP of the requester >>> (of course only after it has verified that the IP is in the >>> DNS) or allow the requester to specify a preferred IP. >

[Acme] tls-sni-01 validation compromise

In working to implemented LetsEncrypt at Bitly, I uncovered an issue with the tls-sni-01 validation that limits its trustworthiness in validation. Issue: The tls-sni-01 validation is intended to prove control over a domain name. The challenge relies on presenting a

Re: [Acme] tls-sni-01 validation compromise

On 22 January 2016 at 13:38, Jehiah Czebotar wrote: > 1) Change the requirement that the self signed cert have one DNSName, > and require the response to have TWO DNS names. One that matches the > requested hostname, and a second that is secret which proves it can > only be