[cabf_validation] New TLS-ALPN Validation Method

Ben Wilson bwilson at mozilla.com
Fri Oct 28 08:08:27 UTC 2022


Thoughts with regard to the following?

https://mailarchive.ietf.org/arch/msg/acme/dIfbBLij_SCeXKoE47tpIVkavTs/

Right now, most of ACME’s validation methods can only be used by
clients with IP addresses in A/AAAA records corresponding to the
identifier, as well as specific open ports. This is perfectly
acceptable for most use cases right now, but it becomes problematic
when managing certificates for the likes of HTTP alternative services
or SVBC/HTTPS targets. Such configurations require a certificate for
the original identifier, but (usually) do not share the same IP
addresses.

dns-01 sidesteps this limitation, but is often less secure since it
usually requires credentials for DNS zone modifications to be
accessible by clients.

I don’t think it is too early to start thinking about more practical
solutions, in advance of draft-ietf-dnsop-svcb-httpssvc being
finalized. Perhaps a new form of TLS-ALPN method that uses an
SVBC/HTTPS record instead of 443/tcp and A/AAAA records? It would need
to ignore the normal precedence rules, as they would preclude
lower-priority targets from getting certificates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20221028/b1164697/attachment.html>


More information about the Validation mailing list