Oddbean new post about | logout
Alex Gleason 🐍 | 7 days ago (raw) | export | reply | flag +1 
 This idea turned out to be wrong, because you can't get an SSL cert that covers subdomains of subdomains. Only way it works is if I replace dots in the domains with underscores or something.

nostr:nevent1qvzqqqqqqypzqprpljlvcnpnw3pejvkkhrc3y6wvmd7vjuad0fg2ud3dky66gaxaqydhwumn8ghj7emvv4shxmmwv96x7u3wv3jhvtmjv4kxz7gqype5hs9p40haeeduru7pdctgle52d5npw9q4g9umk55pytpmts72zwnwcms
Autumn Sun ☀️🌘 | 7 days ago (raw) | root | parent | reply | flag 
 Then we should invent subcertificates.
Alex Gleason 🐍 | 6 days ago (raw) | root | parent | reply | flag 
 Wildcard certs only cover a single level of subdomain. With *.mostr.pub I can get com.mostr.pub, but I would have to acquire a separate *.com.mostr.pub. There are over 1500 TLDs and growing, and that doesn't even cover fedi servers on subdomains like social.example.com.

I still think it's worth doing, but the only practical way is to encode the domain into a single subdomain, eg replacing dots with hypens. But I would need to be careful to handle punycode correctly and prevent spoofing.