Hi Sally registers the domain example.com to host her website. She uses ACME to SSL protect it. Later, Sally loses interest in her website and decides not to renew example.com, and it expires. Steve wants to start a website - he notices that example.com is unregistered, so he registers it and opens his own website on it. He then tries to use ACME to SSL protect it. How should the ACME server distinguish this (entirely legitimate) domain reuse scenario from a domain hijacking attack? Steve doesn't know Sally, cannot rely on Sally to provide the recovery token. Steve might be very disappointed to discover he can't use ACME for SSL, simply because a previous registrant of the same domain name has already used it. How will ACME protocol handle this?
One option is maybe the ACME server operator can scan WHOIS records to detect changes in domain ownership. This still might pose a problem for subdomains, e.g. if I allow other people to register under my example.com, and then one of the subdomain users sets up ACME, and then I want to use subdomain for something else, and then suppose I cannot get the former subdomain assignee to hand over the recovery token. Maybe we need a way in the protocol for a parent domain controller to revoke control of the child domain. So if I control example.com, and authenticate to ACME using example.com, I can then make ACME revoke foo.example.com, even if I don't know the recovery token for it. Or possibly, the right solution is non-technical: ACME server operator establish an out of band manual process to handle these scenarios. But, even if you decide that is the answer, the RFC should still discuss these scenarios, and require the ACME server operator to establish a policy/business process to handle them. Regards Simon _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
