Yes, I considered this. The first version of my proposal, which I didn't publish, had a 'sufficient' parameter which makes the CAA step sufficient rather than necessary.
I removed this because it seemed to me like a fundamental transformation of the CAA record from a necessary to sufficient step, and that's not necessarily something that should be done trivially. Moreover I gather it would not be commercially usable due to current CAB BR guidelines, so the point is presently moot. And at any rate, completing challenges is so easy in practice it's not terribly important. On Fri, Apr 22, 2016 at 02:59:58PM +0200, Philipp Junghannß wrote: > but then again, a key enforcement can also allow for this key not needing > to prove a challenge since it already IS approved. > 2016-04-22 14:50 GMT+02:00 Yaron Sheffer <[1][email protected]>: > > Hi, > > I support tightening ACME with additional security controls, and the > Account Key seems like a good place to start. But given that we have a > DNS-based authorization method, this proposal looks like overkill. > > If the attacker has access to the DNS zone for the host being certified, > then they can use this access (with DNS-01) to issue a certificate. > Moreover, they can change the CAA record or add new ones, making this > protection moot. (Reminder: CAA records are evaluated "bottom up", i.e. > the most specific one wins). > > If the attacker does not have access to the DNS zone, the proposed > protection becomes interesting. But then a simpler, easier to manage > solution would be to limit the allowed challenges. So maybe instead of > specifying an account key, use > > [2]example.com. IN CAA 0 issue "[3]example.net; \ > acme-ac=dns-01 > > (where "ac" is Allowed Challenge). This would mandate that the CA only > use DNS-01 and no other challenge, ensuring that the ACME client must > prove control of DNS. > > Thanks, > Yaron > _______________________________________________ > Acme mailing list > [4][email protected] > [5]https://www.ietf.org/mailman/listinfo/acme > > References > > Visible links > 1. mailto:[email protected] > 2. http://example.com/ > 3. http://example.net/ > 4. mailto:[email protected] > 5. https://www.ietf.org/mailman/listinfo/acme > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
