It looks like the ACME working group built a generic client-authenticated replay-resistant protocol on top of HTTPS as a side product. https://tools.ietf.org/html/draft-ietf-acme-acme-18 …
-
-
Personally, I think the CDN MitM resistance thing is a big (and nearly fatal) distraction from ACME's core security model: a CSR is signed by an ACME account key, and the fingerprint of the ACME account key is placed in DNS/.well-known/etc. so therefore the CSR is legit.
-
Right, all I’m saying is that if you reuse the ACME “transport layer” for something that doesn’t have challenges, you don’t get that protection.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.