Hey all, Following on from the meeting today I wanted to start a discussion on what to do moving forward with regard to the reverse-dns method defined in draft-ietf-acme-ip. There were arguments on both sides about whether the method should be retained or removed with I’ll quickly paraphrase (if you feel I’ve misrepresented either please correct me).
The argument for removing this was that there are no technical issues with the method as-is but that the reverse DNS zones are historically badly managed and that using them for validation will cause problems down the line (presumably misissuance by a person who controls the zone but doesn’t actually control the IPs the zone represents). The argument for keeping it is that the IETF (or more specifically the ACME WG) should not be where CA or browser policy is dictated and that given these methods are currently allowed under the CABF BRs and browser root programs it would actually be useful to have a technically defined method for validation that can at least be used as a tool for further research on the topic. As stated at the meeting I’m of the opinion that we should move forward with the method in the document and if individual browsers or CABF feel strongly that these methods are not secure they should disallow their usage in their root programs or the BRs respectively which would prevent any CA from actually using the method. That said there was obviously a contingent of people who disagree with me on this. I guess one thing to ask is do we have anyone who would actually _want_ to use this? My understanding is the main use case, much like for the dns-01 challenge, is to get certs for IP identifiers before actually having to stand anything up on a machine so that it can instantly start doing its job which seems valuable. Thanks, Roland _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
