It looks like the ACME working group built a generic client-authenticated replay-resistant protocol on top of HTTPS as a side product. https://tools.ietf.org/html/draft-ietf-acme-acme-18 …
Personally, I think the CDN MitM resistance thing is a big (and nearly fatal) distraction from ACME's core security model: a CSR is signed by an ACME account key, and the fingerprint of the ACME account key is placed in DNS/.well-known/etc. so therefore the CSR is legit.
-
-
Right, all I’m saying is that if you reuse the ACME “transport layer” for something that doesn’t have challenges, you don’t get that protection.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.