Hi Alexey, thanks for working on the "email-reply-00" challenge. I would very much welcome a good mechanism to automatically distribute certificates for use with S/MIME.
I have two questions / suggestions to your proposal: 3.2. ACME response email ------------------------- You suggest to send the challenge response via email. What is the reason for choosing email as medium for this? SMTP does allow choosing an arbitrary "From:" address, so just being able to send an email with a specific "From:" address alone doesn't prove anything. But sending an email does require specific setup on the client side (like smtp relay server, port, login,...) which makes it harder to use an ACME client program that is not fully integrated into an email program. Couldn't the token just be transmitted back to the CA via HTTPS like the rest of the ACME protocol? Challenge email and mail filtering ------------------------- If "email-reply-00" becomes popular (I'm hoping it will), it will most probably attract scammers which will try to trick users into giving away passwords and so on. As the challenge email mostly contains a random token, it is not easy for mail filtering gateways to filter out scam emails and let legitimate challenge emails through. I think we should design the protocol in a way that makes it easy for mail filtering gateways to do the right thing: 1. Every CA should publish (on their webpage or in a specification document) a static "From:" address they use when sending their challenges. This could be used by gateways for whitelisting purposes. 2. As simple whitelisting without further checks isn't a good idea, the authenticity of the challenge email should be verifiable by the filtering gateway. I propose that the CA should sign all challenge emails with S/MIME to do this. As most email programs already automatically check S/MIME signatures, this would also allow users of manual acme client programs to verify the authenticity of the challenge email. What do you think? Kind regards, Gerd _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
