Re: [Acme] Account deletion for security currently useless if rolled over

It’s not stupid ? Understand the terms used (such as PR in this WG:) can be among the hardest parts. > Will make a draft... Great, looking forward to it! -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ Acme

Re: [Acme] Account deletion for security currently useless if rolled over

Thank you, T. Hardie. R. Salz: Well, sorry for asking something stupid :rolleyes: I know git, and it's clear what's requested. I just didn't made the connection from PR to git, being somewhere where this abbreviation isn't used for "pull request", and having lots of things other in mind. Will

Re: [Acme] Account deletion for security currently useless if rolled over

> What is a PR? :) Assuming the question is serious, take a look at this tutorial: https://yangsu.github.io/pull-request-tutorial/ Alternatively, post a diff to the list with the changes you'd like to see. ___ Acme mailing list Acme@ietf.org

Re: [Acme] Account deletion for security currently useless if rolled over

What is a PR? :) Am 18.04.2016 18:51, schrieb Richard Barnes: These sound like good recommendations to go in the account deletion section. Would you like to draft a PR? Anyways, it's good to see that I wasn't stupid somehow, and the added ideas are fine too...

Re: [Acme] [acme] Account deletion for security currently useless if rolled over

On 18/04/16 19:14, Albert ARIBAUD wrote: > In the spec above, apparently nothing prevents the attacker from rolling > over and over again, and the server will only be able to handle a > finite number of keys before it either misfunctions or decides to drop > the newest or oldest keys. This can be

Re: [Acme] [acme] Account deletion for security currently useless if rolled over

Okay didnt know that one yet. Am 18.04.2016 18:32 schrieb "Richard Barnes" : > You can already revoke with the cert key. > > On Mon, Apr 18, 2016 at 12:30 PM, Philipp Junghannß < > teamhydro55...@gmail.com> wrote: > >> In my opinion it would be also nice if you could revoke with the

Re: [Acme] [acme] Account deletion for security currently useless if rolled over

You can already revoke with the cert key. On Mon, Apr 18, 2016 at 12:30 PM, Philipp Junghannß < teamhydro55...@gmail.com> wrote: > In my opinion it would be also nice if you could revoke with the cert key > making it possible to remove the cert even if the acc is down. > Am 18.04.2016 18:15

[Acme] [acme] Account deletion for security currently useless if rolled over

Suppose an account key gets compromised. To prevent abuse, the owner can delete the account: https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md#deleting-an-account However, people having the key can simply change it without any effort: