Hey all,
First, sorry for the delay in posting draft-ietf-00. I hope to get that done ASAP after we close the issue below. A little while ago, Andrew Ayer pointed out a signature reuse vulnerability in draft-barnes-acme-01 [0]. As noted in that thread, it is possible to mitigate the vulnerability (but not remove it) by having the ACME server require that the client use the same key to create the challenge and respond to it. Accordingly, I wanted to go ahead and propose an update to the challenges to actually fix this vulnerability. In brief, the proposed change is as follows: OLD: Validation value is signature value by account key over challenge token NEW: Validation value is digest of the account key and challenge token The idea is to address the issues with reuse of the validation value by having that value be explicitly tied to the account key, vs. binding implicitly via the signature. For details, see my pull request against draft-barnes-acme [1]. I’ve also implemented it in the in the boulder ACME server implementation and its node.js test client [2]. I realize there are some engineering ways this update could be made better, but before we start optimizing, I would like to get feedback on whether this change fixes the security issues that have been raised. If there’s general agreement that this change is good for security, then I’ll merge it and pull things over draft-ietf-00. Thanks, --Richard [0] https://mailarchive.ietf.org/arch/msg/acme/F71iz6qq1o_QPVhJCV4dqWf-4Yc [1] https://github.com/letsencrypt/acme-spec/pull/223 [2] https://github.com/letsencrypt/boulder/pull/774 _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
