It would come at the expense of a more streamlined and secure approach (e.g. the ALPN proposal on the acme-wg list), which once standardized I assume Let's Encrypt (and other ACME CAs) would want to fully migrate to.
Alex On Mon, Jan 15, 2018 at 9:27 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 14/01/18 21:32, jacob.hoffmanandr...@gmail.com wrote: > > We discussed a similar approach (using CAA) on our community forum, > > and concluded we don't want to pursue it at this time: > > https://community.letsencrypt.org/t/tls-sni-via-caa/50172. The TXT > > record would probably work more widely than CAA, but it would still > > be encouraging further integration with TLS-SNI-01, when we really > > want to encourage migration away from it. Right now it's our feeling > > that the account and renewal whitelisting should mitigate most of the > > pain of migrating away, but experience and feedback from subscribers > > will help inform that over time. > > Why would you want to continue migrating away if it were based on a > self-serve whitelist? Would that not re-secure the method? > > Gerv > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy