On Tue, Feb 07, 2017 at 05:27:48PM +0000, Salz, Rich wrote:
> I put the time period as six weeks, which takes us to just around IETF-98...
>
> PLEASE reply on list if you will review and/or are interested in working on
> interop.
I see there's no reference to use of DNSSEC resolvers by CAs that
implement DNS challenges. Just a suggestion to send probes from
multiple networks to avoid MiTM attacks, which seems rather weak
to me. The MiTM might be collocated near the victim rather than
the CA.
There was some brief discussion of DNSSEC back in Oct/2015:
https://www.ietf.org/mail-archive/web/acme/current/thrd3.html#00561
https://www.ietf.org/mail-archive/web/acme/current/msg00561.html
https://www.ietf.org/mail-archive/web/acme/current/msg00562.html
https://www.ietf.org/mail-archive/web/acme/current/msg00563.html
https://www.ietf.org/mail-archive/web/acme/current/msg00564.html
https://www.ietf.org/mail-archive/web/acme/current/msg00565.html
https://www.ietf.org/mail-archive/web/acme/current/msg00729.html
but no further action. Is there a compellng reason to avoid
requiring acme CAs to spin up a validating resolver? It does not
seem like a lot to ask. If a domain is DNSSEC-signed then its ACME
challenge should IMHO be validated via DNSSEC.
--
Viktor.
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
