It looks like the ACME working group built a generic client-authenticated replay-resistant protocol on top of HTTPS as a side product. https://tools.ietf.org/html/draft-ietf-acme-acme-18 …
-
-
Without that side channel the CDN could just make its own account key, and MitM everything, right? I assume the challenges are still somehow tied to the account key?
-
The challenges do contain the account key fingerprint. It's an important distinction, because early drafts used signed challenges rather than a fingerprint due to a mistaken belief that it was necessary for CDN MitM resistance, and this was extremely bad: https://mailarchive.ietf.org/arch/msg/acme/F71iz6qq1o_QPVhJCV4dqWf-4Yc …
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.