On Wed, Aug 12, 2015 at 1:55 PM, yan <[email protected]> wrote: > > > On 8/11/15 10:52 PM, Richard Barnes wrote: > >> Smallest diff change from the current document would be simply to >> explicitly require validation value bound to account key that created >> it -- not the one the signs the response. Since the attack requires >> that the attacker change keys (using recovery) after receiving the >> token, the attack only works if the validation is done against the new >> public key. This option introduces non-trivial implementation >> complexity, though, since the server now has to remember what key >> signed the new-authorization request that caused the challenges to be >> issued. > > > Doesn't it already have to remember this? The current instructions for > verifying a DNS challenge says: "1. Verify the validation JWS using the > account key for which this challenge was issued." > > Since the challenge was issued before the attacker initiated account > recovery to do the key change, the wording implies that the server remembers > the original key at validation time.
Yeah, good point. I still think that it would be better to simplify things in the way Andrew suggested. --Richard _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
