I don't see any problem with it since: 1: It requires possessing a account key with a valid authorization for the domain in question. In my eyes, one that posess such a key IS the valid domain owner. If you can't keep your account key secret, what says you can keep your certificate keys secret?
2: A domain whose account key has leaked out, is already compromised in some way or another. For example, you could hack into the ACME client server and steal the key, and then place a trojan which transmits the order ID to you under the current regime. Adding a order list still needs you to somehow listen on the victim to time the attack correctly. The only victims that this attack will work on, is victims that let an authorized order stay for days rather than finalizing it immediately. -----Ursprungligt meddelande----- Från: David Weitzman <[email protected]> Skickat: den 21 oktober 2022 23:33 Till: [email protected] Ämne: [Acme] Potential race condition attack via account pending order lists The attack described below wouldn't work on Let's Encrypt because it hasn't implemented the order list feature yet, so this is more of a hypothetical attack for anyone who finishes implementing the standard. Scenario: 1) A hacker secretly stole a copy of an account private key months ago 2) This hacker periodically polls that account's info and looks the order list 3) Today the hacker gets lucky: the order list reveals a pending order that hasn't been fulfilled yet 4) The real DNS/HTTP website owner finishes authorizing the certificate, but has not yet finalized the order 5) The hacker swoops in at the last minute and submits a CSR to /acme/order/abc123/finalize, winning the race condition to finalize the request 6) The CA grants the request, presuming that because the hacker has the account key it must be the same client who proved ownership of the domain Now the hacker has obtained a signed certificate for a domain without ever having control of DNS or HTTP serving for that domain. Some ideas to prevent this attack: - Don't support order listing in the standard. Seems like people have been doing fine so far without it. - Support listing valid and invalid orders, but not pending orders - Have an additional, temporary, order-specific secret that's used both when creating an order and when finalizing it. This allows the order list to reveal the existence and status of an order without revealing the extra secret a client would need to finalize it. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
