On 8/11/15 10:52 PM, Richard Barnes wrote:
Smallest diff change from the current document would be simply to explicitly require validation value bound to account key that created it -- not the one the signs the response. Since the attack requires that the attacker change keys (using recovery) after receiving the token, the attack only works if the validation is done against the new public key. This option introduces non-trivial implementation complexity, though, since the server now has to remember what key signed the new-authorization request that caused the challenges to be issued.
Doesn't it already have to remember this? The current instructions for verifying a DNS challenge says: "1. Verify the validation JWS using the account key for which this challenge was issued."
Since the challenge was issued before the attacker initiated account recovery to do the key change, the wording implies that the server remembers the original key at validation time.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
