<div dir="ltr"><div>Thoughts with regard to the following?</div><div><br></div><div><a href="https://mailarchive.ietf.org/arch/msg/acme/dIfbBLij_SCeXKoE47tpIVkavTs/">https://mailarchive.ietf.org/arch/msg/acme/dIfbBLij_SCeXKoE47tpIVkavTs/</a></div><div>
<pre class="gmail-wordwrap">Right now, most of ACME’s validation methods can only be used by clients with IP addresses in A/AAAA records corresponding to the identifier, as well as specific open ports. This is perfectly acceptable for most use cases right now, but it becomes problematic when managing certificates for the likes of HTTP alternative services or SVBC/HTTPS targets. Such configurations require a certificate for the original identifier, but (usually) do not share the same IP addresses.
dns-01 sidesteps this limitation, but is often less secure since it usually requires credentials for DNS zone modifications to be accessible by clients.
I don’t think it is too early to start thinking about more practical solutions, in advance of draft-ietf-dnsop-svcb-httpssvc being finalized. Perhaps a new form of TLS-ALPN method that uses an SVBC/HTTPS record instead of 443/tcp and A/AAAA records? It would need to ignore the normal precedence rules, as they would preclude lower-priority targets from getting certificates.</pre>
</div><div><br></div></div>