I haven't followed the "ACME for subdomains" conversation closely, but the base semantics of ACME are designed such that they can express "all of" semantics AND "one of" semantics. For a given Order, a client has to fulfil *all* the Authorizations; for a given Authorization, a client has to fulfil *one of* the Challenges.
To take advantage of this, you would need to define a new challenge type that expresses validating a parent domain. For instance "dns-parent-01." It would contain the name of the parent domain as a field. If a server has the policy that validating control of either foo.bar.example.com or example.com is sufficient to issue for foo.bar.example.com, it would respond to newOrder requests for foo.bar.example.com by creating an Order with one Authorization (for foo.bar.example.com), and that Order would have two Challenges: "dns-01" and "dns-parent-01" (with a parent domain of "example.com"). The client could then choose which challenge to attempt.
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme