On Tue, Jan 16, 2018 at 06:05:55PM +0200, Joona Hoikkala wrote: > On 16.01.2018 17:59, Ilari Liusvaara wrote: > > I earlier had idea of Public Key Pinning with CAA records. It > > would be much safer than HPKP (because if keys get lost, they > > can be rather quickly changed) and could actually help against the > > issue (as CAA is proactive, not reactive like CT). I should post a > > draft about it... > This actually already exists, check out: > https://tools.ietf.org/html/draft-ietf-acme-caa-03
I mean pinning the TLS key, not the account key. Even if the compromised automation can not outright dump the ACME key (and most probably it can), it can still misuse the key. -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
