Hi all, I've had some discussion recently with the Tor project on implementation hurdles for draft-ietf-acme-onion. One concern that has been raised by a few is the need to run a Tor client to validate requests, even with onion-csr-01, due to the inclusion of CAA in the draft.
One solution proposed to this is that the ACME client MAY[1] send the hidden service descriptor to CA as part of the finalize request. The CA also MAY require this, if they do not wish to run a Tor client. This, to my knowledge, wouldn't reduce the security of the validation of CAA, as the descriptor document is still cryptographically validated in the same way using the current network consensus. Additionally the directory authorities that serve descriptors are already non-trusted actors in Tor. The CA would still need a copy of the network consensus document to verify the descriptor submitted by the client. Most directory authorities however are reachable over standard HTTP over TCP, in addition to HTTP over Tor. This would allow the CA to fetch the current consensus without any connection to Tor. The consensus fetched this way would still be verified against the trusted directory authorities of Tor[2]. What are people's thoughts on this, and more importantly, what problems do people see with this? Should this be incorporated into the draft? Thanks, Q [1]: BCP 14 MAY [2]: https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt ------------------------------ Any statements contained in this email are personal to the author and are not necessarily the statements of the company unless specifically stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company registered in Wales under № 12417574 <https://find-and-update.company-information.service.gov.uk/company/12417574>, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca Digital, is a company registered in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are registered trademarks in the UK, under № UK00003718474 and № UK00003718468, respectively.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
