> On Jan 12, 2018, at 10:20 AM, Gerd v. Egidy <gerd.von.eg...@intra2net.com> > wrote: > > - As TLS-SNI-01/02 before, it is done completely via HTTPS on TCP port 443. > So > if HTTPS is the protocol you want to use the cert for, you wouldn't need > access to an additional TCP port like HTTP-01 does. This may not be important > for regular webhosting, but for a scenario where the certificate protects > some > software running on a host behind a router or firewall only allowing port 443 > through. > > What do you think? >
As I’ve not yet considered the other aspects, I can’t comment as to the advisability. I did want to say that if an acceptable mechanism is found in this manner, it does help with some but not all in-band TLS validation mechanisms. It works for web server cases. It does not fully replace the mechanisms of the TLS-SNI sort because it would not work for other protocols running over TLS (like SMTP/TLS). The TLS-SNI mechanisms do facilitate that. Still, if the risks are otherwise acceptable, such a challenge mechanism might be a path of least resistance for those impacted by the TLS-SNI-01 deprecation. _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme