SRVName and XmppAddr support

I received a request to support SRVName and XmppAddr entries for certificate Subject Alternative Names in acmebot. Since I don’t find any mention of these in the ACME spec and have no idea how I would authenticate such entries, I’m presuming Let’s Encrypt wouldn’t sign a request including these. Is that correct?

If so, any plans to add support?

1 Like

The ACME specification only supports DNS identifiers:

https://tools.ietf.org/html/rfc8555#section-7.1.4

The only type of identifier defined by this specification is a fully qualified domain name (type: “dns”).

2 Likes

You’re correct. As @Osiris mentions (thanks!) ACME (RFC 8555) provides no challenge types associated with identifiers other than DNS type.

We have no plans to support these Subject Alternative Name types. Beyond the challenge of how you would validate them we are forbidden by the CA/Browser forum baseline requirements from including them in our certificates. See Section 7.1.4.2. “Subject Information – Subscriber Certificates”, specifically 7.1.4.2.1 “Subject Alternative Name Extension”:

Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an iPAddress containing the IP address of a server

Including an OtherName type Subject Alternative Name with the OID for SRVName or XmppAddr would be a misissuance under the BRs by my reading.

Hope that helps explain the situation,

2 Likes

As I suspected, thanks for the quick update.

Please consider this a request to petition the CAB to allow these in a future version of the baseline requirements (and then update ACME to support them).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.