2016-07-20 11:51 GMT+02:00 Yaron Sheffer <yaronf.i...@gmail.com>: > Hi, > > At the LURK BoF this week there was some interest in having a solution > where a domain owner can delegate to some other entity (which we will > call "the TLS server") the authority to terminate TLS connections on its > behalf, using short-term certificates. These certificates allow the > domain owner to terminate the TLS server's authorization when necessary, > without requiring certificate revocation - which we know doesn't work > reliably. The certificates' validity is measured in days, e.g. 3 days. > > First, I would like to request the working group to adopt short-term > certificates as a charter item. > > Second, I would like the group's advice in choosing between two very > different approaches to this problem. >
You can already delegate HTTP-01 by redirecting `/.well-known/acme-challenge/*` (maybe even just for unknown tokens). Also, for short-lived certificates, there's already the `notAfter` field when filing applications for a certificate: https://ietf-wg-acme.github.io/acme/#rfc.section.6.1.3 Regards, Niklas
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme