Hey Matt, In general I think this is a good idea. It's a concept that has been discussed in a handful of venues in the past, and would certainly be a good thing to have.
That said I'm not _entirely_ sure that ACME is the right place to specify it. I think tying such a mechanism too closely to ACME is, unfortunately, a barrier to getting the method adopted elsewhere. If we wanted to say get this mechanism adopted by the CABF as a mandated revocation mechanism for instance I think it'd be better to define the mechanism in isolation from a protocol so that it could be subsumed into other APIs more easily. ACME could then build an endpoint extension that implemented this mechanism. I guess in practice we could do this in an ACME draft by separately specifying the mechanism and the API extension, such that the mechanism could be implemented independently from the API, but I worry it would end up being forever branded as 'an ACME thing' (which who knows, may not be a terrible thing). But yeah, I think this is something that should definitely be considered, either in ACME or perhaps lamps? I'd be happy to help I-D-ifying any proposal if you'd like the assistance. Thanks, Roland On Thu, Jun 18, 2020 at 4:21 PM Matt Palmer <[email protected]> wrote: > Hi everyone, > > A corner case of the ACME protocol for certificate revocation by proving > possession of the private key is that the private key needs to be available > to the client which is performing the revocation request. In some cases, > this is not possible and/or practical, leading to a situation in which > entirely valid revocation requests cannot be processed via ACME, and need > to > be handled via some other mechanism. > > The specific use case I have in mind is for revocations for key compromise > which are carried out by the Pwnedkeys Revokinator, which is a service I > run > to request revocation of certificates using keys known to the > pwnedkeys.com > database as being compromised. > > When pwnedkeys finds a compromised key which is used in an existing > certificate, it is possible to use the key to request revocation via the > existing ACME-provided mechanism. However, it does happen on occasion that > a certificate is issued for a key which was already in the pwnedkeys > database, and that causes a problem. > > For security reasons, the private keys themselves are not kept online. > Only > a proof of compromise (a JWS and CSR whose content states clearly that the > key is compromised) is available to the public Internet. As a result, the > Revokinator cannot execute an ACME revokeCert request, because it doesn't > have access to the private key to sign the JWS. At present, that means > that > the only solution I have is to e-mail the CA and request that they manually > revoke the certificate in question, using the CSR as proof of compromise. > > Another use case I can think of is analogous to the PGP concept of a > "revocation certificate". Consider the case where, for whatever reason, an > ordinary user of an ACME CA loses access to the private key used in a > certificate or ACME account, and wishes to notify the CA that the key > should > no longer be trusted. While it is possible to deactivate an account if you > have the private key, you cannot do so if the keys have been abstracted and > then destroyed -- say, in a randomware+blackmail attack, which are, sadly, > all too common. > > For these reasons, I'm interested to know if the ACME WG would be willing > to > consider adopting a draft specifying a protocol mechanism which extended > ACME to allow a revocation request to be submitted which did not require > immediate access to the private key being revoked. I don't have a document > prepared, however I've considered the possible mechanisms extensively > through my other work in demonstrating key compromise, and would be willing > to put in the time to write a "pre-draft" for consideration if the WG > expressed in-principle support for adoption. > > Thanks, > - Matt > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
