Hi Andrew,
On Wed, 18 Sep 2024, Andrew Ayer wrote:
On Wed, 18 Sep 2024 14:51:52 +0000
"Tobias S. Josefowitz via Servercert-wg" <[email protected]>
wrote:
While it may be possible to securely implement automation based on
this that does so securely, checking the CSR and correlates it to the
CSR automatically handed in... it sounds unlikely that the majority
of such implementations do this properly. It would be reasonably
involved to arrive at an actually secure automated process, and it
would so easily lend itself to an insecure implementation.
You can see in Amazon's documentation
(https://docs.aws.amazon.com/acm/latest/userguide/email-automation.html)
that the email clearly specifies the account ID of the certificate
requester and a certificate identifier. It is critical to validate the
account ID. I don't think this is as hard as you're suggesting.
Indeed, thank you for sharing this. I can easily see how one could do
something useful with this. I am not convinced that's where the majority
of users of this method necessarily arrive, but I certainly do not want to
criticize anyone who did.
Unfortunately, I don't think this is universally true. ALPN and
HTTP challenges don't work for wildcards or hostnames that are not
publicly-accessible on port 80 or 443. Large organizations usually lock
down the ability to create DNS records, or are using DNS providers
without sensible APIs, making it a significant challenge to manage DNS
challenges at scale. Being able to delegate certificate validation for
all domains to a central point is extremely useful.
I still maintain that ACME with automated DNS changes is ultimately the
better option, DNS hosting options enabling that are readily available as
well. But I would not like to be forced to transition from one that
doesn't allow it to one that does for an organization, and specifically
not in a short timeframe. Point taken.
In the long term this should not be a reason to keep around WHOIS
validation, and I support immediately sunsetting WHOIS validation for
ccTLDs due to the demonstrated problem there. I just wanted to provide
an explanation for why sunsetting WHOIS would be disruptive to
currently-deployed automation solutions.
Thank you for that!
Tobi
_______________________________________________
Servercert-wg mailing list
[email protected]
https://lists.cabforum.org/mailman/listinfo/servercert-wg
