Hi, It is part of the ACME security model that clients use the key authorizations they have computed themselves for fulfilling challenges.
However, Sections 7.1.4. and 7.1.5. give examples of the server returning the keyAuthorization as part of the challenge object. If the client follows the schema 1. fulfill challenge 2. POST challenge URL it is unlikely that the keyAuthorization returned by the server would be used to fulfill the challenge (again). However, it should be possible to obtain a working ACME client by POSTing to the challenge URL first and using the keyAuthorization returned by the server (and possibly changed by the server) to fulfill the challenge afterwards. This should work since the servers challenge checks (DNS, HTTP, ...) are not instantaneous and even retried. In this case the MitM protection is bypassed by incautious client implementation. If my interpretation is correct, I would suggest that the server MUST NOT return the keyAuthorization object. That would reduce the likelihood that the client is using a keyAuthorization fields returned by the server. Maybe it would be also worth pointing out that clients MUST use the keyAuthorization they computed themselves. However, without context that might become a confusing tautology. One more thing: During client implementation I also started to wonder if I should check the identifier values (i.e. domains) the server returns in challenges. I don't see an immediate risk in fulfilling challenges for arbitrary domains the server returns to the client. But maybe there would be a security benefit in checking if the challenge identifiers match (up to some sub-domain logic) the once passed to newOrder/newAuthz originally or are 'managed by the client in general'. This would be relevant if the client has access to a domains web- or dns-server, but this domain should only use ACME with a different CA/JWK or no ACME at all. Best, Sophie _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
