Hello all (and a happy New Year),
I am looking at draft-ietf-acme-acme-01 as available on github right
now, more precisely at section 6.2 and the "directory" resource which
would allow a client to find out the URIs for other resources.
Since "directory" is there to help find URIs for resources,
On Fri, Jan 08, 2016 at 08:42:57PM +0100, Niklas Keller wrote:
> > The current language describing it in the spec is terrible and needs to
> > be rewritten, but it's quite simple: add an extra :443 vhost entry to
> > your server config, serving a self-signed cert created to pass the
> > challenge.
Hi Rich,
Le Fri, 8 Jan 2016 19:52:34 +
"Salz, Rich" a écrit:
>
> > draft-ietf-acme-acme-01 states:
> >
> > In order to help clients configure themselves with the right
> > URIs for each ACME operation, ACME servers provide a
> > directory object. This should be
> draft-ietf-acme-acme-01 states:
>
> In order to help clients configure themselves with the right
> URIs for each ACME operation, ACME servers provide a directory
> object. This should be the root URL with which clients are
> configured.
>
> The question is, what
On Fri, Jan 08, 2016 at 10:23:25AM -0800, Peter Eckersley wrote:
> On Fri, Jan 08, 2016 at 06:27:09PM +0100, Peter Wu wrote:
>
> > Peter (Eckersley), you reported this concern with the premise that it is
> > a common configuration mistake that impacts many hosting providers. Do
> > you have
On Sat, Jan 09, 2016 at 12:56:49AM +0100, Peter Wu wrote:
> On Fri, Jan 08, 2016 at 10:23:25AM -0800, Peter Eckersley wrote:
> > On Fri, Jan 08, 2016 at 06:27:09PM +0100, Peter Wu wrote:
> >
> > > Peter (Eckersley), you reported this concern with the premise that it is
> > > a common
On Fri, Jan 08, 2016 at 06:27:09PM +0100, Peter Wu wrote:
> Peter (Eckersley), you reported this concern with the premise that it is
> a common configuration mistake that impacts many hosting providers. Do
> you have scans backing up that concern? Websites that are managed by a
> single entity
On 9 January 2016 at 08:46, Albert ARIBAUD wrote:
> Actually, I withdraw this statement: acme-v01.api.letsencrypt.org's
> "/directory" is just as compliant as "/acme" or "/". There is no
> reason to constrain the path of the directory object to a specific
> value.
>
> In
Hi Niklas, Peter and others,
(First time poster here, grabbed this mail from the archives.
Explanation of the "vulnerability" is first given, followed by a
discussion.)
On Fri, Nov 13, 2015 at 04:35:00PM +0100, Niklas Keller wrote:
> This is a followup on "ACME vulnerabilities in SimpleHTTP and