On 2018-01-13 12:38, josh--- via dev-security-policy wrote: > Another update, the main thing being that we have deployed patches to our CA > that allow TLS-SNI for both renewal and whitelisted accounts, as we said we > would in our previous update: > > https://community.letsencrypt.org/t/tls-sni-challenges-disabled-for-most-new-issuance/50316
Would it make sense to effectively allow "self-service" whitelisting by using a DNS TXT record? This would allow a static DNS configuration (no need for dynamic records as in DNS-01) and basically allow TLS-SNI-01 users to continue using their existing setup. The record would basically be an assertion that yes, the domain owner allows the usage of TLS-SNI-01 and the server it is pointed to will not allow third-party provisioning of acme.invalid certs. Another suggestion is to use an SRV record for TLS-SNI-01 validation. This would serve as an assertion that the method is acceptable and also allow choosing a different port or even a different hostname/IP altogether. Supporting this for HTTP-01 would also make sense, e.g. that would allow using certbot in standalone mode on a nonstandard port, making it perhaps one of the simplest and most universal validation configurations, working with any server software as long as you can provision a single static DNS record. -- Hector Martin "marcan" (mar...@marcan.st) Public Key: https://mrcn.st/pub _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
