| ▲ | benburkert 4 days ago | |
Sorry, not trying to obfuscate anything, hopefully this clarifies: users trust us to hold their ACME account key and we only ask for DNS records prefixed with `_acme-challenge.` to be CNAME delegated. With this we could issue or revoke a new certificate, but we couldn't impersonate them because we don't control the rest of their DNS. | ||
| ▲ | dogleash 4 days ago | parent [-] | |
> we couldn't impersonate them because we don't control the rest of their DNS. If that were true, nobody would need signed certificates in the first place. | ||