Hi,
I'm new to this group and sorry for the late comment. I just saw this draft and
have an idea after reading. I'd like to know from you experts whether it's
reasonable.
The illustration in Section 5 uses Subject Alternative Name (SAN) to list every
subdomain name in a certificate.
I wonder if this mechanism can be replaced by using a wildcard certificate?
Compared with using the Subject Alternative Name (SAN), a wildcard certificate
can simplify the complexity and reduce the costs for securing a number of
subdomains.
As the sub-domain name changes, the client with SAN has to re-apply its
certificate, but the client with wildcard certificate does not need to change
its certificate.
I think wildcard certificates have been commonly used in subdomains management.
As illustrated in Section 5:
+--------+ +------+ +-----+
| Client | | ACME | | DNS |
+---+----+ +---+--+ +--+--+
| | |
STEP 1: Pre-Authorization of ancestor domain
| . | |
| . | |
| . | |
STEP 2: Place order for sub1.example.org
| . | |
| . | |
| . | |
STEP 3: Place order for sub2.example.org.
| . | |
| . | |
| . | |
If there are multiple subdomains, the client has to place an order multiple
times for every subdomain.
If using a wildcard certificate, the client only needs to place an order once
for the wildcard certificate.
Then the client can configure its subdomain servers with the same wildcard
certificate.
+--------+ +------+ +-----+
| Client | | ACME | | DNS |
+---+----+ +---+--+ +--+--+
| | |
STEP 1: Pre-Authorization of ancestor domain
| . | |
| . | |
| . | |
STEP 2: Place order for *.example.org |
| | |
This is just a preliminary idea, and please correct me if I'm thinking wrongly.
Regards,
Lei YAN
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
