On Fri, 8 Jul 2016 16:36:35 -0700 Roland Shoemaker <[email protected]> wrote:
> (Playing devils advocate) Why not just remove the nonce system > entirely? That's an interesting question. How important is it to prevent replays? I believe that ACME messages can be divided into three classes: 1. Idempotent operations: completing challenges, revoking certificates, and deleting resources (assuming resource IDs aren't reused). No need for replay protection here. 2. Operations that create resources on the server (registrations, applications, certificates). It seems that the only risk from replays is resource exhaustion on the server, which is something the server already needs to be concerned about. 3. Operations that modify resources (registrations). This is sensitive, as a replay would allow a malicious CDN to roll back a resource to an earlier state. The only attack I see with the current protocol would be rolling back the registration contact to an email address that is now controlled by the attacker instead of the account owner. Could this be solved by adding an integer version field to every resource that starts at zero, and requiring that all modifications include a version that's greater than the existing version? As a side benefit, this makes the protocol safe against concurrent modifications by different clients, since only one update would succeed. Have I overlooked anything? Would we be painting the protocol into a corner if we removed nonces and instead required individual messages to be safe to replay? Regards, Andrew _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
