well Certificate transparency is one something should maybe keep notifications for.
Also I can understand the problem, but I have not decided the outcome, I merely stated what I got as an answer back then. problem is obviously also the CA/Browser Forum has certain requirements, and I guess having access to some kind of direct verification at the time of issue might be probably one of these. Am Fr., 11. Sept. 2020 um 15:21 Uhr schrieb Simon Ser <cont...@emersion.fr>: > Hi, > > On Friday, September 11, 2020 3:13 PM, Philipp Junghannß < > teamhydro55...@gmail.com> wrote: > > > I have asked that question in the LE forum iirc the problem is that > > someone could place that record once and as long as someone doesnt > > look at it all the time one can easily miss the fact that someone can > > create wildcards and stuff for that domain, so the point is to prove > > that dns access is given at the time of issuance. > > If someone has once write access to the DNS, they can set an > acme-challenge record, redirect all requests, and issue wildcard certs. > That would be easy to miss, too. > > > you could maybe use a different DNS Server which has a better API, > > and potentially even can be used by ACME. > > The issue at hand isn't that a particular DNS registry operator isn't > supported by a particular ACME client. What I want to fix is the need > for all ACME clients to support all DNS registry operators. > > Thanks, > > Simon >
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme