On Tue, Jan 16, 2018 at 12:12:00PM +0200, Joona Hoikkala wrote: > > While ACME tries to promote automation of the challenge validation, the > landscape of said automation looks rather grim. DNS server software and > service providers rarely provide means to limit the privileges of > credentials used to update DNS zones. > > This leads to users being forced to use and save their credentials often > equipped with inflated privileges to every machine that needs to acquire > certificates using DNS challenges, effectively meaning that when one of > such machines gets compromised so does the whole DNS zone, or multiple > zones in some cases.
It should be noted that currently compromise of the automation itself is catastrophic. Even if you do not run the automation as root nor give it read access to TLS keys, which prevents trivially stealing your TLS keys. And even if you do not give it unneeded validation authority. This is because the authority of automation necressarily includes obtaining certificates for arbitrary keys, so if attacker can not extract your key, they can just substitute their own. HPKP could address attacks like this. Unfortunately, it is being deprecated, with "replacement" being Certificate Transparency. Unfortunately, CT does not help against attacks like this, because after the certificate has been issued, it is too late as revocation does not work. I earlier had idea of Public Key Pinning with CAA records. It would be much safer than HPKP (because if keys get lost, they can be rather quickly changed) and could actually help against the issue (as CAA is proactive, not reactive like CT). I should post a draft about it... -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
