|
Hi, I support tightening ACME with additional security controls, and the Account Key seems like a good place to start. But given that we have a DNS-based authorization method, this proposal looks like overkill. If the attacker has access to the DNS zone for the host being certified, then they can use this access (with DNS-01) to issue a certificate. Moreover, they can change the CAA record or add new ones, making this protection moot. (Reminder: CAA records are evaluated "bottom up", i.e. the most specific one wins). If the attacker does not have access to the DNS zone, the proposed protection becomes interesting. But then a simpler, easier to manage solution would be to limit the allowed challenges. So maybe instead of specifying an account key, use example.com. IN CAA 0 issue "example.net; \ acme-ac=dns-01 (where "ac" is Allowed Challenge). This would mandate that the CA only use DNS-01 and no other challenge, ensuring that the ACME client must prove control of DNS. Thanks, Yaron |
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
