Owen Friel (ofriel) <ofr...@cisco.com> wrote:
> The draft as is does not preclude http-01 challenges, but I agree that
> the dns-01 challenge is more applicable.
I'm gonna pick on this part only.
An http-01 challenge shows that the client controls the web resource that is
named.
It does nothing at all about control of the DNS. We don't know anything
about the client's control over the DNS, about any other names in the DNS.
When we do a dns-01 challenge for a specific name, we mostly prove exactly
the same thing: that the client can direct traffic to that name to a place
that it could potentially control.
{Well, the presence of CNAMEs (and DNAMEs) blurs this a bit}
If we do a dns-01 challenge for foo.example, then there is an assumption
in the challenge that we control the DNS for foo.example, and therefore
could put any.thing.foo.example into the DNS and control that.
Really, it doesn't quite prove that, it proves that we can update
_acme-challenge.foo.example, and that could be the only thing we
can actually control.
We might want to think about whether the authorization phase for
a subdomain challenge might need to show control over more bits than just that.
For instance, we could demand proof of
_acme-challenge.ran.dom.token.foo.example.
Perhaps even that we can insert A or AAAA records at that spot too.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
