[Acme] The path to the "directory" resource should not be "/" and should be specified in draft-ietf-acme-acme-01

Hello all (and a happy New Year), I am looking at draft-ietf-acme-acme-01 as available on github right now, more precisely at section 6.2 and the "directory" resource which would allow a client to find out the URIs for other resources. Since "directory" is there to help find URIs for resources,

Re: [Acme] ACME vulnerabilities in SimpleHTTP due to common webservers' default virtual host semantics

On Fri, Jan 08, 2016 at 08:42:57PM +0100, Niklas Keller wrote: > > The current language describing it in the spec is terrible and needs to > > be rewritten, but it's quite simple: add an extra :443 vhost entry to > > your server config, serving a self-signed cert created to pass the > > challenge.

Re: [Acme] The path to the "directory" resource should not be "/" and should be specified in draft-ietf-acme-acme-01

Hi Rich, Le Fri, 8 Jan 2016 19:52:34 + "Salz, Rich" a écrit: > > > draft-ietf-acme-acme-01 states: > > > > In order to help clients configure themselves with the right > > URIs for each ACME operation, ACME servers provide a > > directory object. This should be

Re: [Acme] The path to the "directory" resource should not be "/" and should be specified in draft-ietf-acme-acme-01

> draft-ietf-acme-acme-01 states: > > In order to help clients configure themselves with the right > URIs for each ACME operation, ACME servers provide a directory > object. This should be the root URL with which clients are > configured. > > The question is, what

Re: [Acme] ACME vulnerabilities in SimpleHTTP due to common webservers' default virtual host semantics

On Fri, Jan 08, 2016 at 10:23:25AM -0800, Peter Eckersley wrote: > On Fri, Jan 08, 2016 at 06:27:09PM +0100, Peter Wu wrote: > > > Peter (Eckersley), you reported this concern with the premise that it is > > a common configuration mistake that impacts many hosting providers. Do > > you have

Re: [Acme] ACME vulnerabilities in SimpleHTTP due to common webservers' default virtual host semantics

On Sat, Jan 09, 2016 at 12:56:49AM +0100, Peter Wu wrote: > On Fri, Jan 08, 2016 at 10:23:25AM -0800, Peter Eckersley wrote: > > On Fri, Jan 08, 2016 at 06:27:09PM +0100, Peter Wu wrote: > > > > > Peter (Eckersley), you reported this concern with the premise that it is > > > a common

Re: [Acme] ACME vulnerabilities in SimpleHTTP due to common webservers' default virtual host semantics

On Fri, Jan 08, 2016 at 06:27:09PM +0100, Peter Wu wrote: > Peter (Eckersley), you reported this concern with the premise that it is > a common configuration mistake that impacts many hosting providers. Do > you have scans backing up that concern? Websites that are managed by a > single entity

Re: [Acme] The path to the "directory" resource should not be "/" and should be specified in draft-ietf-acme-acme-01

On 9 January 2016 at 08:46, Albert ARIBAUD wrote: > Actually, I withdraw this statement: acme-v01.api.letsencrypt.org's > "/directory" is just as compliant as "/acme" or "/". There is no > reason to constrain the path of the directory object to a specific > value. > > In

Re: [Acme] ACME vulnerabilities in SimpleHTTP due to common webservers' default virtual host semantics

Hi Niklas, Peter and others, (First time poster here, grabbed this mail from the archives. Explanation of the "vulnerability" is first given, followed by a discussion.) On Fri, Nov 13, 2015 at 04:35:00PM +0100, Niklas Keller wrote: > This is a followup on "ACME vulnerabilities in SimpleHTTP and