Hi all,

        The new RFC (8555) states (on p26), for order objects, that a 1:1 
relationship may not exist between an order’s identifiers and its authzs.

        Given that each authz object contains exactly 1 identifier, how would 
this play out for CAs that accept authz against a base domain as substitutive 
for authz on a subdomain?

        Consider an order to the hypothetical “AwesomeSSL” CA for example.com 
and www.example.com. AwesomeSSL considers authz against “example.com” to 
implicitly demonstrate control over “www.example.com”. Since the order requires 
successful authz for both domains, and (for AwesomeSSL) authz for “example.com” 
suffices for both domains, having a separate authz against “www” is 
superfluous. So it would be reasonable for this order to contain a single authz 
… and would that authz’s identifier be just “example.com”, then? Thus that 
authz object would not reference “www”, even though it is that domain’s 
corresponding authz object? Or would a client be accountable for implementing a 
“best-match authz” lookup to determine which authz corresponds to a given 
domain?

        Thank you!

-Felipe Gasper
Mississauga, Ontario
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

Reply via email to