I haven't followed the "ACME for subdomains" conversation closely, but the
base semantics of ACME are designed such that they can express "all of"
semantics AND "one of" semantics. For a given Order, a client has to fulfil
*all* the Authorizations; for a given Authorization, a client has to
fulfil
As regards https://tools.ietf.org/html/draft-friel-acme-subdomains-02 ...
Is the idea that the client will, if requesting authz on sub.example.com,
*only* be able to do authz against the parent domain (example.com)?
It would seem advantageous—from the client’s perspective, anyway—to allow a
Document: draft-friel-acme-subdomains-02
Reviewer: Russ Housley
Date: 2020-08-04
Major Concern:
The TODO markers regarding wildcard domain names, the 200 response
code, and the security considerations should be filled in with
strawman text before this I-D is adopted by the ACME WG.
Minor