Hello Ilari, > [1] Just as example, the following kinds of stuff are (legimately) seen fairly > often or more: > > > - Rolling over the account key for each renewal (this is usually caused > by containers forgetting things). > - Rolling over the TLS key for each renewal (some actually recommend > this, I do not). Sometimes with very frequent renewals. > - Getting multiple certificates with different keys for multiple > servers with the same name. > - Handling validation on separate system and pushing the certificates > (and likely the TLS keys too, probably not in safe manner!) to server > systems. These systems might utilize HTTP redirects (which HTTP-01 > does follow) or DNS CNAMEs (which DNS-01 does follow). > - Users wiping out the TLS keys and account keys (without backup!) to > "reset" something (admin mistake). > - Transferring site between servers and losing the keys (account and > TLS) in the process. > - Users using all sorts of whacky ACME clients that just do not > implement anything more than bare minimum for the common case. > - Users using HTTPS on servers they don't have proper control of > DNS for (can't edit records, or can only use very few record > types, at worst only A/AAAA, or worse yet, A only). > > Thinking about recovery is rather important. One of the major reasons HPKP > is so hated is lack of pretty much any kind of recovery. I am seriously interested in surveying this kind of behavior, not only to quantify it, but also to understand MOs during systems' operation. While some of these cases seem relatively easy to measure (yet sometimes not to distinguish, i.e., cases 1 and 2), others seem to be harder harder to measure, e.g., the 4th case. The main problem here is that this would certainly require cooperation from LE. What are your thoughts on this?
> [2] This was actually one of the major reasons why the PoP challenge was > removed. Well, technically it should be sufficient to do the channel over HTTPs to reach the same result in comparison to actually signing the challenge. Met vriendelijke groet, Tobias Fiebig, Department Engineering Systems and Services Informatie- en Communicatie Technologie (ICT) TU Delft / Dept. ESS Faculty of Technology, Policy and Management (TBM) Building 31 Jaffalaan 5 - room B3.170 2628 BX Delft P.O.Box 5015 2600 GA Delft, The Netherlands T +31 (0)15 27 85700 E [email protected] Present: Monday t/m Friday _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
