SSL on download1.rpmfusion.org
Kevin Kofler
kevin.kofler at chello.at
Sun Sep 25 23:55:26 CEST 2016
Stuart D. Gathman wrote:
> They verify all the SANs for free certs by reading a cookie from the
> website, and that would be impossible for a wildcard. So the SAN list
> is really the only way it could be done for that level of verification.
Right, it's hard to automatically verify wildcards, so they don't do it. You
don't want it to end up like the rogue CA that gave somebody a *.github.io
certificate after verifying control of ${NAME}.github.io.
> Also, letsencrypt only signs ICANN domains - mainly because they use
> the ICANN root to verify the domains. (I.e. they won't help with .bit
> domains among others.)
It is of course also necessary to restrict the possible roots if you want to
verify control of the domain name, or I could let it verify example.com on
my own (hypothetical) rogue .com root. And the easiest way to do that was to
just hardcode the ICANN roots, which are widely recognized as the "official"
ones.
Kevin Kofler
More information about the rpmfusion-developers
mailing list