On 20/07/16 14:43, Niklas Keller wrote:
2016-07-20 11:51 GMT+02:00 Yaron Sheffer <[email protected]
<mailto:[email protected]>>:
Hi,
At the LURK BoF this week there was some interest in having a solution
where a domain owner can delegate to some other entity (which we will
call "the TLS server") the authority to terminate TLS connections on its
behalf, using short-term certificates. These certificates allow the
domain owner to terminate the TLS server's authorization when necessary,
without requiring certificate revocation - which we know doesn't work
reliably. The certificates' validity is measured in days, e.g. 3 days.
First, I would like to request the working group to adopt short-term
certificates as a charter item.
Second, I would like the group's advice in choosing between two very
different approaches to this problem.
You can already delegate HTTP-01 by redirecting
`/.well-known/acme-challenge/*` (maybe even just for unknown tokens).
Also, for short-lived certificates, there's already the `notAfter` field
when filing applications for a certificate:
https://ietf-wg-acme.github.io/acme/#rfc.section.6.1.3
Regards, Niklas
In fact delegating HTTP-01 is a big security issue in the context of
rogue CDNs (or CDN employees). Please see
https://tools.ietf.org/html/draft-sheffer-lurk-cert-delegation-00#section-4.3
Thanks,
Yaron
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
