Proposals on IETF acme working group about TLS

only currently adapted by acme working group itself (but not full RFC yet), and looks like in public TLS context for me: Posted those here as they wanted to this to be adapted by a public CA like LE to implement this, in my option at least.

abstract:
This document specifies how Automated Certificate Management
Environment (ACME) can be used by a client to obtain a certificate
for a subdomain identifier from a certification authority. This
document specifies how a client can fulfill a challenge against an
ancestor domain but may not need to fulfill a challenge against the
explicit subdomain if certification authority policy allows issuance
of the subdomain certificate without explicit subdomain ownership
proof.

authors of this draft wanted subdomain auth by authing parent domain for easier implement of large scale clients enrollment, while not strictly required to be working

however

comment (by me)
almost like dns challange but txt record is posted on subdomain
"_acme-challenge_" || base32(SHA-256(Account Resource URL)[0:9])
they wanted to add this for tie assign CNAME for domain valification to multiple targets

3 Likes