> > As an individual, I dislike putting "here's what's wrong with your key" in > the error message. For example, it encourages a thief to do "venue > shopping" looking for a CA that will certify their stolen keypair. >
I don't think this is a meaningful example. The server has to return some kind of error message if it isn't going to accept the key. As an attacker I probably know I've stolen a good key (it was in use, wasn't it?) so if I get an error message of any kind I can shop it out to the next CA. This thread is just addressing the question about whether we should make it a standardized error instead of bucketed into "malformed". On Thu, Jan 24, 2019 at 11:19 AM Salz, Rich <[email protected]> wrote: > > - Note that since the registration policy is "specification required", > doing this in an extension spec instead would not require the consent of > the IESG. > > > > Right, which is how I prefer to see this move forward. Putting it into > the ACME doc, however, **does** require IESG approval. > > > > - I think you're confused here, Rich. This error code relates to > *account keys*, not keys that are certified by the CA. > > > > Not really, which is why I chose the example I did. > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
