Hi everyone, A corner case of the ACME protocol for certificate revocation by proving possession of the private key is that the private key needs to be available to the client which is performing the revocation request. In some cases, this is not possible and/or practical, leading to a situation in which entirely valid revocation requests cannot be processed via ACME, and need to be handled via some other mechanism.
The specific use case I have in mind is for revocations for key compromise which are carried out by the Pwnedkeys Revokinator, which is a service I run to request revocation of certificates using keys known to the pwnedkeys.com database as being compromised. When pwnedkeys finds a compromised key which is used in an existing certificate, it is possible to use the key to request revocation via the existing ACME-provided mechanism. However, it does happen on occasion that a certificate is issued for a key which was already in the pwnedkeys database, and that causes a problem. For security reasons, the private keys themselves are not kept online. Only a proof of compromise (a JWS and CSR whose content states clearly that the key is compromised) is available to the public Internet. As a result, the Revokinator cannot execute an ACME revokeCert request, because it doesn't have access to the private key to sign the JWS. At present, that means that the only solution I have is to e-mail the CA and request that they manually revoke the certificate in question, using the CSR as proof of compromise. Another use case I can think of is analogous to the PGP concept of a "revocation certificate". Consider the case where, for whatever reason, an ordinary user of an ACME CA loses access to the private key used in a certificate or ACME account, and wishes to notify the CA that the key should no longer be trusted. While it is possible to deactivate an account if you have the private key, you cannot do so if the keys have been abstracted and then destroyed -- say, in a randomware+blackmail attack, which are, sadly, all too common. For these reasons, I'm interested to know if the ACME WG would be willing to consider adopting a draft specifying a protocol mechanism which extended ACME to allow a revocation request to be submitted which did not require immediate access to the private key being revoked. I don't have a document prepared, however I've considered the possible mechanisms extensively through my other work in demonstrating key compromise, and would be willing to put in the time to write a "pre-draft" for consideration if the WG expressed in-principle support for adoption. Thanks, - Matt _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
