On Fri, May 25, 2018 at 08:09:01AM -0700, Ben Sykes wrote: > Hi there, > > Having read through the draft spec, I have a concern over certificate > renewals. > As I read it, the server would have to temporarily use a customized > self-signed certificate while the check is pending. Won't this mean any > regular user connecting to that server over TLS at the time be presented > with the self-signed certificate? This would manifest as downtime for the > service. > Is there a provision for renewal using this method?
AFAIK, there is no way to construct a validation method that is all of: - Can be used by "public" CAs. - TLS-level. - Operates on port 443. - No downtime. - No special application or TLS library support required. TLS-ALPN fails the last line (if you do not have special application or TLS library support, you take downtime). I have cooked an experimental version of TLS library I have written, with the needed support to answer the validation queries with no downtime (also internally generating the needed certificate from name -> key authorization mapping). -Ilari _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
