Hello folks, As I'm sure many of you are aware by now, recent developments[0] [1] [2] have identified real-world server/hosting configurations that violate the assumptions of TLS-SNI-01 as well as its currently specified replacement, TLS-SNI-02.
In light of these issues and the feasibility of addressing them across the entire Internet it seems prudent that the ACME specification remove this challenge type pending the development of a better alternative (TLS-SNI-03?). I've submitted https://github.com/ietf-wg-acme/acme/pull/390 to make this change. It also seems prudent that the working group take its time considering the design and specification of TLS-SNI-03. It will also take time for there to be server and client implementations of a new TLS-SNI-03 specification once ready. With these thoughts in mind I think we should consider TLS-SNI-03 outside the scope of the current draft and proceed with a draft that has only HTTP-01 and DNS-01 challenge types, deferring TLS-SNI-03 for a follow-up document. What are the thoughts of the other WG participants? - Daniel / @cpu [0]: https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996 [1]: https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188 [2]: https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
