> On Mar 25, 2015, at 9:35 AM, John Mattsson <[email protected]> wrote: > > Hi, > > Some high level comments on draft-barnes-acme (the GitHub version) > > > - Security: > The security of this seems to need some serious rethinking. The “Domain > Validation with Server Name Indication” challenge seems totally nonsecure, > allowing ANY on-path attacker to get certificates issued. I think this > challenge is unacceptable for certificate issuance and I think it should be > removed. Just because I let Amazon, Microsoft, Google or any other cloud > provider run my web server does not mean I give them the right to request > certificates for my domain.
Section 11.1.1 of the Baseline Requirements allows this: > 6. Having the Applicant demonstrate practical control over the FQDN by making > an agreed-upon change to information found on an online Web page identified > by a uniform resource identifier containing the FQDN; or > 7. Using any other method of confirmation, provided that the CA maintains > documented evidence that the method of confirmation establishes that the > Applicant is the Domain Name Registrant or has control over the FQDN to at > least the same level of assurance as those methods previously described. The current status quo is that many CAs allow “put this meta tag or text file on the HTTP server” as a challenge, which is *less* secure than the proposed DVSNI and Simple HTTPS challenge methods. If the only automated challenge method available is DNS, this puts a *huge* damper on the usability of the system. Do you have any concrete modifications or alternatives to the DVSNI validation method that would improve the security? Do you have the same complaint about the Simple HTTPS validation method? Jonathan _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
