The issue with DNS right now through ACME is that you effectively have to give the ability for every certificate issuing system to change a single DNS zone. This is possible in small organizations but very prohibitive in large organizations.
On Wed, Sep 18, 2024 at 12:38 PM Tobias S. Josefowitz via Servercert-wg < [email protected]> wrote: > Hi Andrew, > > On Wed, 18 Sep 2024, Andrew Ayer wrote: > > > On Wed, 18 Sep 2024 14:51:52 +0000 > > "Tobias S. Josefowitz via Servercert-wg" <[email protected]> > > wrote: > > > >> While it may be possible to securely implement automation based on > >> this that does so securely, checking the CSR and correlates it to the > >> CSR automatically handed in... it sounds unlikely that the majority > >> of such implementations do this properly. It would be reasonably > >> involved to arrive at an actually secure automated process, and it > >> would so easily lend itself to an insecure implementation. > > > > You can see in Amazon's documentation > > (https://docs.aws.amazon.com/acm/latest/userguide/email-automation.html) > > that the email clearly specifies the account ID of the certificate > > requester and a certificate identifier. It is critical to validate the > > account ID. I don't think this is as hard as you're suggesting. > > Indeed, thank you for sharing this. I can easily see how one could do > something useful with this. I am not convinced that's where the majority > of users of this method necessarily arrive, but I certainly do not want to > criticize anyone who did. > > > Unfortunately, I don't think this is universally true. ALPN and > > HTTP challenges don't work for wildcards or hostnames that are not > > publicly-accessible on port 80 or 443. Large organizations usually lock > > down the ability to create DNS records, or are using DNS providers > > without sensible APIs, making it a significant challenge to manage DNS > > challenges at scale. Being able to delegate certificate validation for > > all domains to a central point is extremely useful. > > I still maintain that ACME with automated DNS changes is ultimately the > better option, DNS hosting options enabling that are readily available as > well. But I would not like to be forced to transition from one that > doesn't allow it to one that does for an organization, and specifically > not in a short timeframe. Point taken. > > > In the long term this should not be a reason to keep around WHOIS > > validation, and I support immediately sunsetting WHOIS validation for > > ccTLDs due to the demonstrated problem there. I just wanted to provide > > an explanation for why sunsetting WHOIS would be disruptive to > > currently-deployed automation solutions. > > Thank you for that! > > Tobi > _______________________________________________ > Servercert-wg mailing list > [email protected] > https://lists.cabforum.org/mailman/listinfo/servercert-wg >
_______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
