|
|
|
|
|
|
by jesprenj
252 days ago
|
|
|
I agree that HTTPS is not needed in most cases but ACME challenge to obtain a LE cert can be done securely: * domain has DNSSEC
* domain has CAA records only allowing DNS challenge and disallowing insecure HTTP challenge but if we rely on DNSSEC we can just use DANE/TLSA and don't need the mess of CA/PKI |
|
|
DNSSEC is PKI. We don't want to rely on it because it's significantly worse than WebPKI.