Why ACME requires domain auth first before CSR?

I don't see a reason why they still should exist. Having a ca that supports acme in Europe, USA Asia and Africa should be enough to serve everybody who needs dv certs

Yours isn't a technical tagged question.

What about OV and EV certificates? There's no reason to not also use ACME for them. (Of course, validation will take longer, and most existing clients aren't built for such long waits, but in principle there's no reason ACME cannot be used for OV and EV as well.)

Besides that, there are still reasons for paid DV certs. For example, they could offer extended client compatibility, or IP address certificates, S/MIME certs, etc. - everything what ACME supports, but isn't supported (yet) by free ACME CAs.

Already implemented in practice, e.g. https://acme.sectigo.com/v2/EV .

That's not set in stone. There are a bunch of valid ways to generate a Request Token that are not related to your CSR (hash of public key, or a random value etc).

As a reseller, you should talk to Sectigo to ask for changes to their validation methods (e.g. random Request Token) that would be compatible with the workflow that you want to achieve.

This request seems to me to be taking a problem that is commercial in nature (what kind of options Sectigo wants to make available to resellers) and trying to undercut them by asking for major changes to ACME.

Yes, Sectigo ACME is not only limited to its commercial customers, and also not opened for it’s resellers’ endpoint customer to use.

No. Not everybody wants to use the services of a company under U.S. jurisdiction. Not everybody can. Diversity is important.

• According to mcclatchydc.com Let's Encrypt revoqued and banned USAReally.com - #5 by mkwm

• GitHub has blocked an Iranian software developer's account | Packt Hub

• https://github.com/tdelmas/Let-s-Clone/blob/master/WHY.md

In a sense can’t USA just kick out a CA by ordering to browser benders?
like Apple/Google/Mozilla/MS is all US based company. and CA is effectively killed if they are out of trust store of them.

Maybe, probably, yes, but it's another problem. It's like saying "why fix the privacy issue of DNS, there is SNI" and "why fix the privacy issue of SNI, there is DNS".

(sorry for the off-topic, I'll split the thread if there is more answers on that subject)

Yes that is why I wrote we would need a ca on every continent.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.