On 25/11/2016, Philipp Junghannß <[email protected]> wrote: > Doesnt the request have to be signed and stuff anyway by the account key?
Yes, but such a signature would at most prove authenticity and integrity w.r.t. the request: it would not say anything about whether or not the request is a replay. The reason for having anti-replay nonces in addition to signatures is that, used correctly, they protect against a class of attacks that signatures alone do not prevent against. START ILLUSTRATION Suppose, for example, that Alice has become incapacitated (or, if Alice is a business, suppose Alice has gone out of business) and as a result, Alice's web server, which was protected by certificates obtained via ACME, is no longer under Alice's control. Suppose further that Mallory has obtained control of Alice's web server, and wants users to think that Alice is still in control of it. Mallory might be able to succeed in that attempt (for example, by requesting up-to-date certificates in Alice's name), if Mallory were able to successfully perform replay attacks, even if Mallory did not have Alice's private key. END ILLUSTRATION Maybe not the best illustration, and I haven't grokked ACME well enough yet to be sure whether anything else in ACME would mitigate against such an attack, but hopefully this at least helps to clarify my point. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
