@mholt on github found they they are inject RCE onto acme.sh. be aware.
https://github.com/acmesh-official/acme.sh/issues/4659
2023-06-09 오후 4:55에 Q Misell 이(가) 쓴 글:
Hi Amir,
TIL about HiCA. They do seem like a weird bunch!
I note they only allow ACME.sh as an ACME client and forbid every
other client in their EULA
(https://www1.hi.cn/en/docs/getting-started/acme.sh-installation).
They also have some interesting ideas about patents surrounding ACME
(https://www1.hi.cn/en/docs/tutorial-expert/challenge/challenge-types-dns-or-http).
I can also find no mention in their docs of how they support ".onion"
domains, and absolutely no reference to the CSR method. I will have to
have a poke at their ACME server to see how they implement it, but I
don't expect any revolutionary ideas.
Thanks,
Q
------------------------------------------------------------------------
Any statements contained in this email are personal to the author and
are not necessarily the statements of the company unless specifically
stated. AS207960 Cyfyngedig, having a registered office at 13
Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca
Digital, is a company registered in Wales under № 12417574
<https://find-and-update.company-information.service.gov.uk/company/12417574>,
LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876
<https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №:
GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South
Korean VAT №: 522-80-03080. Glauca Digital and the Glauca logo are
registered trademarks in the UK, under № UK00003718474 and №
UK00003718468, respectively.
On Thu, 8 Jun 2023 at 21:26, Amir Omidi
<amir=40aaomidi....@dmarc.ietf.org> wrote:
Wrong URL, apologies:
https://www1.hi.cn/hica-vs-letsencrypt/
On Thu, Jun 8, 2023 at 15:08 Amir Omidi
<aaomidi=40google....@dmarc.ietf.org> wrote:
I support the draft as it is for adoption. I’m also curious if
https://www.hi.cn/hica-vs-letsencrypt/ is potentially using
the draft as well for their onion support?
On Sun, Jun 4, 2023 at 08:07 Stephen Farrell
<stephen.farr...@cs.tcd.ie> wrote:
Hiya,
On 04/06/2023 12:06, Deb Cooley wrote:
> This will be a two week call for adoption ending on 16
June. Please
> speak up either for or against adopting this draft.
I had a read of the draft. I support adoption.
I'm not sure I understand the security of the challenge
schemes sufficiently from reading the draft, but that's
something that can be addressed as the WG works on it.
To be clear: I'm not asking that the draft fully set out
why these challenge types are (or are not, for dns-01)
secure, but I reckon it's important the WG satisfy itself
about that as the work proceeds, given that have been
subtle issues with challenges in the past.
There're also some terminology things to get right, e.g.
that .onion is not a TLD but a special-use domain name.
(SUDNs are controversial enough things that it'll be
worth trying to get that text to where it irritates
the smallest number of people possible, even if that'll
never be zero:-)
Cheers,
S.
>
> Thanks,
> Deb
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
--
Amir Omidi
Software & Security Engineer
aaom...@google.com
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
--
Amir Omidi (he/them)
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
