Hi,
these problem is not new. I raised the roblem with letsencrypt over an
month ago.
Better Would be:
Client Send clientnone,ECDSA-SHA256(servernonce,clientnonce)
The cert for .challenge.amce contain the public key.
So the client had proved he control the server
On Thu, Jan 21, 2016 at 09:38:24PM -0500, Jehiah Czebotar wrote:
> Because the server initiating the validation request is presenting the
> full ServerName expected back, it is thus untrusted and can not be
> used to imply any relation to the party requesting validation. It is
> possible to
In working to implemented LetsEncrypt at Bitly, I uncovered an issue
with the tls-sni-01 validation that limits its trustworthiness in
validation.
Issue:
The tls-sni-01 validation is intended to prove control over a domain
name. The challenge relies on presenting a
On 22 January 2016 at 13:38, Jehiah Czebotar wrote:
> 1) Change the requirement that the self signed cert have one DNSName,
> and require the response to have TWO DNS names. One that matches the
> requested hostname, and a second that is secret which proves it can
> only be