Conversation

As a bonus, this would supercharge DANE deployment by making it a prerequisite for secure issuance of legacy PKI certificates.

@letsencrypt

make it happen.

Quote Tweet

Rich Felker

@RichFelker

Mar 17, 2021

Replying to @DanielMicay

I wish LE/ACME would add HTTPS-only mode, where the self-referentiality is avoided by insisting on having a DANE record matching the server's key at the time of ACME request.

Rich Felker

@RichFelker

Mar 17, 2021

Chain of trust goes like this: CAA (DNSSEC) mandates cert can't be issued except by LE over DANE (DNSSEC) authenticated HTTPS.

Replying to

Care to write a draft that specifies a new CAA record field? I'd be willing to support this. Makes sense.

Replying to

Would it be a new field or just a new validationmethods constraint in the sense of tools.ietf.org/html/draft-iet?

Replying to

and

By the way, it appears you can register an account (certbot register) and then pin the account id to have ECDSA-based authentication via ACME. The accounturi and validationmethods features are only used for the staging service though. I've tested that validationmethods works.

Replying to

and

I've now tested that accounturi works too (valid and invalid). This provides a way to properly verify via HTTP authentication using the root of trust since the communication between the ACME client and server is authenticated for the accounturi. The issue is it's staging only.

Replying to

and

Staging only = some experimental thing LE hasn't really rolled out yet?

Replying to

and

If this works in production, I think it's a viable trusted path for cert issuance, but much more roundabout and painful to setup than just enforcing DANE on ACME over HTTPS.

Replying to

and

They have a staging server for dry run certificate issuance tests and it's deployed there. For certbot, you use it with `certbot renew --dry-run`. That's how I was testing this. You can make multiple CAA issue records to allow both the staging and production accounts too.

3:42 PM · Mar 18, 2021Twitter Web App

Replying to

and

Look at the attestation.app CAA records to see the working setup I have for it now. It's not enforced by the production server yet but it should transparently start working when they deploy it now and I'll get an email if it actually fails to issue so I'm fine with that.

attestation.app

Device integrity monitoring

Hardware-based remote attestation service for monitoring the security of Android devices using the Auditor app.

Replying to

and

But do you mean enforcement of these CAA constraints isn't supported yet on the real LE cert issuance servers? Or just that you only tested on staging?

Replying to

and

It's not supported on the real production issuance server making trusted certificates yet. The fact that it's deployed on the staging server used for dry run issuance makes it seem like it's close to being put into production though. I don't think they like to deviate much there.

Show replies