Following this discussion, I've taken a pass at proposing some updates to clarify the "purpose" of domain validation (as suggested by Ben in PR #160 although I started with a new take on it) as well as to clarify the difference between one-off validation and persistent validation. See:
https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/172/files John Levine's examples seem to demonstrate that there is very likely that persistent validation is a use-case for DCV. A number of the examples from the use-cases we had in the original Appendix of earlier drafts also showed cases of persistent validation. As such, I think we need to talk about this as we can't really ignore it, and talk about how to do it safely and what the inherent potential problems are. (It may make sense to talk about persistent validation in-terms of authorization, but I stayed away from that for this first version.) If this approach makes sense there's likely some refinement we can make to this text to further clarify on the use-cases and risks. Erik On Fri, May 30, 2025 at 5:16 PM John R Levine <[email protected]> wrote: > On Fri, 30 May 2025, Paul Wouters wrote: > >> and if you're going to do that, you know where to find ACME. > > > > Indeed, but is a cron job really a method to confirm continued > > acceptance of a service? It requires credentials to make a DNS > > change and in a way only weakens the security model. (just like ACME > > using DNS-01 doesn't add anything to just publishing TLSA records in > > the DNS) > > Well, it does show that someone or something is awake enough to run the > cron job while I know from personal experience that TLSA records can go > stale for quite a while. But we're all waving our hands here. > > R's, > John > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
