Conversation

As a bonus, this would supercharge DANE deployment by making it a prerequisite for secure issuance of legacy PKI certificates.

@letsencrypt

make it happen.

Quote Tweet

Rich Felker

@RichFelker

Mar 17, 2021

Replying to @DanielMicay

I wish LE/ACME would add HTTPS-only mode, where the self-referentiality is avoided by insisting on having a DANE record matching the server's key at the time of ACME request.

Rich Felker

@RichFelker

Mar 17, 2021

Chain of trust goes like this: CAA (DNSSEC) mandates cert can't be issued except by LE over DANE (DNSSEC) authenticated HTTPS.

Replying to

Care to write a draft that specifies a new CAA record field? I'd be willing to support this. Makes sense.

Replying to

Would it be a new field or just a new validationmethods constraint in the sense of tools.ietf.org/html/draft-iet?

Replying to

and

By the way, it appears you can register an account (certbot register) and then pin the account id to have ECDSA-based authentication via ACME. The accounturi and validationmethods features are only used for the staging service though. I've tested that validationmethods works.

Replying to

and

I've now tested that accounturi works too (valid and invalid). This provides a way to properly verify via HTTP authentication using the root of trust since the communication between the ACME client and server is authenticated for the accounturi. The issue is it's staging only.

2:59 PM · Mar 18, 2021Twitter Web App

Replying to

and

Staging only = some experimental thing LE hasn't really rolled out yet?

Replying to

and

If this works in production, I think it's a viable trusted path for cert issuance, but much more roundabout and painful to setup than just enforcing DANE on ACME over HTTPS.

Show replies