This isn't sanely automatable. It's unlikely that this will pose an issue if a human wants to figure out the issuing server. But as things stand to automate things you'd need to maintain a database of CAs to directory URLs.
On Fri, Jan 15, 2016 at 01:55:42PM +1100, Martin Thomson wrote: > Is there any reason why you couldn't rely on a search engine for this? > That is, search for "acme endpoint <intermediate CN>" and thereby > arrive at a value. That's the "low tech" alternative to packing the > URL in the ee or intermediate cert. > > On 15 January 2016 at 02:27, Hugo Landau <[email protected]> wrote: > > So while implementing revocation in my ACME client, I came to the > > following problem: how do you know which ACME server issued a > > certificate? > > > > Given an ACME server URL, one can obtain a certificate, but there is no > > reliable way to do the reverse. > > > > If you think about it, it might be desirable to be able to revoke a > > certificate possessing nothing but the certificate. For example, suppose > > you identify a misissued certificate for a domain you control. Under the > > current ACME protocol, if you can prove control of that domain, you can > > revoke the certificate; however, this requires you to know what server > > issued it. > > > > Not sure what the good solutions to this are. One would be to include > > the directory URL as an X.509 or OCSP extension, though that bloats the > > certificate/response. Another might be to reuse the OCSP responder URL, > > so that given an OCSP endpoint, one can obtain the ACME server URL, or > > at least one suitable for revocation. > > > > Something like: > > > > Normal OCSP Request: > > GET http://ocsp.example.com/ocsp/MFMwUTBPME0wSzAJ > > > > > > Revocation Location OCSP Request: > > GET http://ocsp.example.com/ocsp/acme-revoker/MFMwUTBPME0wSzAJ > > > > 302 Found > > Location: https://acme-staging.letsencrypt.org/directory > > > > > > Thoughts? > > > > Hugo Landau > > > > _______________________________________________ > > Acme mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/acme _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
