but then again, a key enforcement can also allow for this key not needing to prove a challenge since it already IS approved.
2016-04-22 14:50 GMT+02:00 Yaron Sheffer <[email protected]>: > Hi, > > I support tightening ACME with additional security controls, and the > Account Key seems like a good place to start. But given that we have a > DNS-based authorization method, this proposal looks like overkill. > > If the attacker has access to the DNS zone for the host being certified, > then they can use this access (with DNS-01) to issue a certificate. > Moreover, they can change the CAA record or add new ones, making this > protection moot. (Reminder: CAA records are evaluated "bottom up", i.e. the > most specific one wins). > > If the attacker does not have access to the DNS zone, the proposed > protection becomes interesting. But then a simpler, easier to manage > solution would be to limit the allowed challenges. So maybe instead of > specifying an account key, use > > example.com. IN CAA 0 issue "example.net; \ > acme-ac=dns-01 > > (where "ac" is Allowed Challenge). This would mandate that the CA only use > DNS-01 and no other challenge, ensuring that the ACME client must prove > control of DNS. > > Thanks, > Yaron > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme > >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
