On Tue, Feb 07, 2017 at 05:27:48PM +0000, Salz, Rich wrote: > I put the time period as six weeks, which takes us to just around IETF-98... > > PLEASE reply on list if you will review and/or are interested in working on > interop.
I see there's no reference to use of DNSSEC resolvers by CAs that implement DNS challenges. Just a suggestion to send probes from multiple networks to avoid MiTM attacks, which seems rather weak to me. The MiTM might be collocated near the victim rather than the CA. There was some brief discussion of DNSSEC back in Oct/2015: https://www.ietf.org/mail-archive/web/acme/current/thrd3.html#00561 https://www.ietf.org/mail-archive/web/acme/current/msg00561.html https://www.ietf.org/mail-archive/web/acme/current/msg00562.html https://www.ietf.org/mail-archive/web/acme/current/msg00563.html https://www.ietf.org/mail-archive/web/acme/current/msg00564.html https://www.ietf.org/mail-archive/web/acme/current/msg00565.html https://www.ietf.org/mail-archive/web/acme/current/msg00729.html but no further action. Is there a compellng reason to avoid requiring acme CAs to spin up a validating resolver? It does not seem like a lot to ask. If a domain is DNSSEC-signed then its ACME challenge should IMHO be validated via DNSSEC. -- Viktor. _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme