> This challenge has the big advantage that subscribers only need to do a one- > time CNAME setup, and renewals can be reliably automated without requiring > that renewing systems have permission to update DNS. In effect, the CNAME > record would act like a long-term delegation permitting the CA to issue > continuously for the base domain.
Yes, not having to validate domains saves customers a lot of time and effort! See BR validation methods #1 and #5 for more information!! 😊 Your proposed method defeats one of the goals of the BR domain control validation requirements, which is to demonstrate control at time of validation, not just as some previous time in the past. That's why the existing, approved validation methods require random numbers to guarantee the validation is fresh and not based on some previous validation. If control at some time in the past is sufficient, you can just re-use the previous validation, which is allowed in some circumstances (see the BRs). -Tim
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
