>I would rather sidestep the issue of what format to put the certificate
>response in, by putting the certificates directly into the JSON ACME order
>object. I have not seen any arguments against that premise (except for “size”)
>and several arguments in favor of it.
The "so-called PEM format"
> On Apr 26, 2017, at 9:55 PM, Jacob Hoffman-Andrews wrote:
>
> On 03/30/2017 09:04 AM, Sean Leonard wrote:
>> IN PARTICULAR: both Apache and Ngnix may be subject to a private key
>> substitution attack with naive passing of the ACME response to the web
>> server! See:
>>
Based on Jacob's research, I'm pretty well convinced that this is not an
issue. Nonetheless, I have posted a PR to add some text about this risk.
https://github.com/ietf-wg-acme/acme/pull/306
On Thu, Apr 27, 2017 at 12:55 AM, Jacob Hoffman-Andrews
wrote:
> On 03/30/2017 09:04
On 03/30/2017 09:04 AM, Sean Leonard wrote:
> IN PARTICULAR: both Apache and Ngnix may be subject to a private key
> substitution attack with naive passing of the ACME response to the web
> server! See:
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
>
> On Mar 30, 2017, at 10:47 AM, Jacob Hoffman-Andrews wrote:
>
>> Therefore the “receiver” is the ACME client, which also is the web/TLS
> server that incorporates the chain into its operations.
>
> Note that in common deployment today, the ACME client is separate from
> the web
> Therefore the “receiver” is the ACME client, which also is the web/TLS
server that incorporates the chain into its operations.
Note that in common deployment today, the ACME client is separate from
the web server.
On 03/30/2017 08:27 AM, Sean Leonard wrote:
> Contents: DER-encoded
On 03/29/2017 01:48 PM, Sean Leonard wrote:
> If you are saying that the receiver is only expected to handle TLS
> 1.2-ordered certificates: “Each following certificate MUST directly
> certify the one preceding it” (MUST, not SHOULD) then we have a
> different situation and PKCS #7/CMS certs-only
> On Mar 29, 2017, at 2:54 PM, Ilari Liusvaara wrote:
>
> On Wed, Mar 29, 2017 at 02:32:17PM -0500, Sean Leonard wrote:
>> Hello,
>>
>> Second of all, I see negative value in transmitting certificates in
>> the proposed “PEM Certificate Chain” format (Section 7.4.2.,