After a look at the ACME spec, this seems to me like it might be a small problem:
The owner of example.org wants to obtain a certificate for example.org from a malicious organization that claims to be a CA, but isn't one, or that is a CA with a scope that is limited somehow (e.g. because its certificate is not accepted by all browsers). The malicious organization wants to obtain a certificate for example.org for its own evil purposes that is less restricted than certificates it could issue on its own. To archieve that, it registers at a more privileged CA and poses as the owner of example.org. When the real CA asks the malicious CA to confirm its identity using simpleHttps or DVSNI, the malicious CA simply forwards the challenge to the victim ACME client. Did I miss something in the spec, or would that work? I'm not sure how important this is, but would it maybe be a good idea to let the ACME client prefix or hash together the provisioned values with the identity (domain name or so) of the CA it's talking to?
signature.asc
Description: Digital signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
