Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The ACME protocol allows this; you just need to control either the DNS records or port 80 on all of the network paths that the certificate authority (e.g. Let’s Encrypt) uses as part of the challenge response protocol.

(Is there a way to permanently opt a DNS name out of such things, I wonder? It seems unlikely that anything would survive a DNS name transfer.)



To some extent, yes: RFC8657

https://community.letsencrypt.org/t/prod-support-for-rfc8657...

https://www.rfc-editor.org/rfc/rfc8657

Though if your threat-model includes local- and/or internet authorities, you probably want to start thinking about alternative roots of trust.


How do you intend to generate a certificate if you opted-out of these methods?


With a traditional Certificate Authority that confirms real-world identities.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: