Thanks for posting this. It does not seem to be related to ACME - that is, what you’re describing is more broadly a set of concerns with the methods that may be used to validate a domain. For example, ACME is a strict, well-defined subset of that which permitted by the CA/Browser Forum’s Baseline Requirements. By focusing only on ACME, it seems like it leaves significantly greater risk that other CAs will fail to adopt mitigation’s.
That said, I do have to disagree with the very premise of High Risk Domains. That’s a sort of discussion without data, especially since EV does not meaningfully provide any security benefit to domain validation. As that seems to mix personal opinions with otherwise well founded recommendations, could you speak to why you believe there’s any value in those approaches? On Sun, Oct 21, 2018 at 6:38 PM Tobias Fiebig <[email protected]> wrote: > Dear all, > At the IETF in Montreal, I presented findings on security issues with > domain validation in ACME, and were encouraged to write a short draft > outlining attacks and possible defenses. We now created a first draft, > which outlines the general structure and contents we are aiming for, see > https://datatracker.ietf.org/doc/draft-fiebig-acme-esecacme. We are > looking forward to your input on our plans. > > Met vriendelijke groet, > > Dr.-Ing. Tobias Fiebig, > Assistant Professor / Universitair Docent > Department Engineering Systems and Services > > Informatie- en Communicatie Technologie (ICT) > > TU Delft / Dept. ESS > Faculty of Technology, Policy and Management (TBM) > Building 31 > Jaffalaan 5 - room B3.170 > 2628 BX Delft > P.O.Box 5015 > 2600 GA Delft, The Netherlands > T +31 (0)15 27 85700 > E [email protected] > > Present: Monday t/m Friday > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
