On 08/06/2016 10:49 AM, Eric Rescorla wrote: > > > On Sat, Aug 6, 2016 at 10:36 AM, Jacob Hoffman-Andrews <j...@eff.org > <mailto:j...@eff.org>> wrote: > > > I also think EKR's comment that we need the ability to authorize domain > names without immediately issuing is a solid one*. So I think we should > take the conservative approach and roll back the new-application flow > for now. I do think we should document wildcard validation before we > finalize the spec, but new-application may not be the best way to do > that. > > *Eric, would you mind repeating what you said for the benefit of the > list? All we have right now are the notes and Richard's paraphrase. > > > To the best of my memory, my comment was that I thought it was unfortunate > that in order to register a domain you would have to generate a valid CSR > and potentially actually get it issued. This is especially true if the > key you > plan to use for authorization is of a type you never intend to issue into an > EE (e.g., you are authorizing with Ed255159 but you are planning to > issue ECDSA and RSA). And it may not be possible to make these align > if you have various restrictions due to HSMs.
Sorry to jump into this so late but could you elaborate on the use case your are suggesting here? I am slightly confused about in what circumstances you would want to authorize a domain for issuance, but not actually issue for it. In a situation where you i.e. don't know all of the names you want to issue for in the future why not just wait until you do know all of those names to create the authorizations? The same goes for the HSM situation you describe, the key will be needed to sign the CSR at some point anyway so why do the authorizations need to be created before the key is used? > > -Ekr > > > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme > _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
