It’s good to see that there is a great deal of outside interest in this draft.
It would be *really way much better* if we first had the main document done.
Folks involved in that, please don’t get distracted by this – there will be
plenty of time later. But first let’s get the main document in
I would concur that this mechanism far exceeds the original TLS-SNI-0x
proposals.
Significantly, it no longer abuses SNI routing flows over which initial
assumptions about web host behavior were not borne out in the field. Instead,
it requires that the server-side end of the TLS conversation b
Hopefully the validation summit next week will lay out the assumptions on what
needs to happen outside of the CAs’ control to properly perform domain
validation. Accurate technical descriptions of what’s needed for successful
domain validation will help evaluate each method and we’ll be able to
On Mon, Feb 26, 2018 at 3:33 PM, Doug Beattie
wrote:
>
>
> I would find it a bit surprising if the CABF adopted a domain validation
> method that relied on the web hosting provider claiming to do the right
> thing (to separate users on shared IP addresses so they cannot request
> certs from the o
I would find it a bit surprising if the CABF adopted a domain validation method
that relied on the web hosting provider claiming to do the right thing (to
separate users on shared IP addresses so they cannot request certs from the
other customers on that IP address).
Has anyone discussed this
+1
The WG should adopt this document. I will volunteer to help review if
adopted.
On Mon, Feb 26, 2018 at 12:02 PM, Richard Barnes wrote:
> +1
>
> This approach is a major improvement from earlier efforts at a TLS-based
> challenge. It follows normal TLS processing logic much more closely,
>
+1
This approach is a major improvement from earlier efforts at a TLS-based
challenge. It follows normal TLS processing logic much more closely,
differing only in the fact that the certificate presented has an extra
extension. Minimizing the differences w.r.t. normal behavior seems like a
good a