Re: [Acme] Revoking certificates issued by an unknown ACME server

Martin Thomson <martin.thomson@gmail.com> Fri, 15 January 2016 07:00 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D93561B2A75 for <acme@ietfa.amsl.com>; Thu, 14 Jan 2016 23:00:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YXEtIr-Hh2ZA for <acme@ietfa.amsl.com>; Thu, 14 Jan 2016 23:00:36 -0800 (PST)
Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1B371B2A72 for <acme@ietf.org>; Thu, 14 Jan 2016 23:00:36 -0800 (PST)
Received: by mail-ig0-x230.google.com with SMTP id h5so5030022igh.0 for <acme@ietf.org>; Thu, 14 Jan 2016 23:00:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=WPY2OK8BYmkUIxrhqV1FywA/E3ezLjTGlkNo0wkkgfA=; b=e3I11Z7WQZoKOlMvdtgmjo3o3CYT8s3KEMNEj2nEsEoXGYy4iQsqlwcawev5SA+4I8 ALraDYhB1hIoM4rY0qQj3DE4pTBctPggWXBULr4L/8zCvzi1aAts/7kPxMiK7Y24OW6u D4B3f9+mve+cDp518fM7xcFTjFWnIJ6C3s7xNyJrUcWcyxAsQBl3MwJRUQZd1vo/nhuJ rvn8BNLpzVK0d/gIg4uBlMpl6iV54A/1dG8uA//qPB5+uPYcZRwuFwKCkSY+zzs27Fs4 Wih2iknZqbRJCxy2xncj/DR4Q+alwpzWRreTlfnmjnSiGzZPFe/tmYZDPxZLip7AkCwC y7EA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=WPY2OK8BYmkUIxrhqV1FywA/E3ezLjTGlkNo0wkkgfA=; b=VbkmCdpnzuYz9bDqwG5cbgpHPtdxf4ageXwtCrAaWzhx+3bXmnjnzhsvIaA2ZwB+Ra wnHEXwuO/NuQBBIJzt4b7ZlxB2k2OGiq2fCPWWC60xqMh71qdaItTkcjdoixeORXssco 5xNQC6E4au0BTeokOGAZRFp6ugSdsxJ6vGISpsm5e1KiHIZ7axfl0K5zqNIC6DP5HWjw OSeUKmB0A9R1HtMlJI/umfXSevXFpcFOlMngSv2FVHLyrRFYt6b8r/e041yq//BXzIv+ 5/EiHmILCALf/vlWgU/C32CHvBFiMyaPgYOQPYH8GA0bsDox+pbKw022pwks7+SOzeAi 4ZOQ==
X-Gm-Message-State: AG10YOTEC5OKaDfe0EYIxzYPCkCkdgVToHSm+zMg1UlNGB9GUXv5/hqLrAfuV4W/XPeP3pODeKkgE17bSc4zqw==
MIME-Version: 1.0
X-Received: by 10.50.20.73 with SMTP id l9mr1705513ige.58.1452841236101; Thu, 14 Jan 2016 23:00:36 -0800 (PST)
Received: by 10.36.149.130 with HTTP; Thu, 14 Jan 2016 23:00:36 -0800 (PST)
In-Reply-To: <20160115062649.GA21476@andover>
References: <20160114152747.GA28898@andover> <CABkgnnWjCbLjRhLH=riyWfCRxBX-kLVfAgTqVjrRR-8bMVCMkw@mail.gmail.com> <20160115062649.GA21476@andover>
Date: Fri, 15 Jan 2016 18:00:36 +1100
Message-ID: <CABkgnnWF9o6=xJdSCOOHO6gOxfRM4Ji8Ja_0vPhxqbnkvgQKyg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Hugo Landau <hlandau@devever.net>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/NWy-eG7td9x591eErFX7iiqXIS4>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Revoking certificates issued by an unknown ACME server
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2016 07:00:38 -0000

On 15 January 2016 at 17:26, Hugo Landau <hlandau@devever.net> wrote:
> This isn't sanely automatable.


Correct.  But it doesn't require any work to define.  Do you have
evidence that suggests this scenario (a certificate issued by an ACME
server needs revocation by someone other than the one who requested
the certificate) would be commonplace enough to warrant automation?