Is there any reason why you couldn't rely on a search engine for this? That is, search for "acme endpoint <intermediate CN>" and thereby arrive at a value. That's the "low tech" alternative to packing the URL in the ee or intermediate cert.
On 15 January 2016 at 02:27, Hugo Landau <[email protected]> wrote: > So while implementing revocation in my ACME client, I came to the > following problem: how do you know which ACME server issued a > certificate? > > Given an ACME server URL, one can obtain a certificate, but there is no > reliable way to do the reverse. > > If you think about it, it might be desirable to be able to revoke a > certificate possessing nothing but the certificate. For example, suppose > you identify a misissued certificate for a domain you control. Under the > current ACME protocol, if you can prove control of that domain, you can > revoke the certificate; however, this requires you to know what server > issued it. > > Not sure what the good solutions to this are. One would be to include > the directory URL as an X.509 or OCSP extension, though that bloats the > certificate/response. Another might be to reuse the OCSP responder URL, > so that given an OCSP endpoint, one can obtain the ACME server URL, or > at least one suitable for revocation. > > Something like: > > Normal OCSP Request: > GET http://ocsp.example.com/ocsp/MFMwUTBPME0wSzAJ > > > Revocation Location OCSP Request: > GET http://ocsp.example.com/ocsp/acme-revoker/MFMwUTBPME0wSzAJ > > 302 Found > Location: https://acme-staging.letsencrypt.org/directory > > > Thoughts? > > Hugo Landau > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
