On Fri, Oct 21, 2022 at 02:33:15PM -0700, David Weitzman wrote: > The attack described below wouldn't work on Let's Encrypt because it > hasn't implemented the order list feature yet, so this is more of a > hypothetical attack for anyone who finishes implementing the standard.
Well, Let's Encrypt implements authorization caching, which causes much more serious issues if someone manages to compromise the account key. And then one needs either order list or order reuse in order to recover from no-reply order creation (however, I do not think any current ACME client supports recovery using order list, so in practice CA needs order reuse). -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
