It looks like the ACME working group built a generic client-authenticated replay-resistant protocol on top of HTTPS as a side product. https://tools.ietf.org/html/draft-ietf-acme-acme-18 …
The challenges do contain the account key fingerprint. It's an important distinction, because early drafts used signed challenges rather than a fingerprint due to a mistaken belief that it was necessary for CDN MitM resistance, and this was extremely bad: https://mailarchive.ietf.org/arch/msg/acme/F71iz6qq1o_QPVhJCV4dqWf-4Yc …
-
-
The structure of the challenges do stop a malicious CDN from getting unauthorized certificates, but they also stop anyone else from getting unauthorized certificates, so I don't really think of them as a CDN-specific security measure.
-
Personally, I think the CDN MitM resistance thing is a big (and nearly fatal) distraction from ACME's core security model: a CSR is signed by an ACME account key, and the fingerprint of the ACME account key is placed in DNS/.well-known/etc. so therefore the CSR is legit.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.