zlacker

[return to "So this guy is now S3. All of S3"]
1. paxys+x4[view] [source] 2023-05-04 19:13:35
>>aendru+(OP)
This is a terrible implementation of domain verification. dns-01 and http-01 are more or less standardized at this point. Use them, and don't roll your own. Reference: https://letsencrypt.org/docs/challenge-types/.
◧◩
2. bob102+S9[view] [source] 2023-05-04 19:37:46
>>paxys+x4
I don't get http-based verification in general. If you want to really prove someone owns a domain, make them change an authoritative DNS record. Everything else feels like it is begging for edge cases to crop up. Why should my social media or SSL certificate vendor care about my web servers?
◧◩◪
3. AdamJa+Xe[view] [source] 2023-05-04 20:02:44
>>bob102+S9
It's not about proving ownership, if it was about proving ownership we would do this via something at the registrar level.

It's about proving /control/. If a domain name is pointed to me (my IP/CNAME) I control it and it is reasonable to allow that person to issue an SSL certificate for a domain (or subdomain) under their control. If you, as the domain owner, want to restrict that, CAA exists as your tool to do so.

[go to top]