[Acme] Revoking certificates issued by an unknown ACME server
Hugo Landau <hlandau@devever.net> Thu, 14 January 2016 15:27 UTC
Return-Path: <hlandau@devever.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA5EE1B3584 for <acme@ietfa.amsl.com>; Thu, 14 Jan 2016 07:27:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.103
X-Spam-Level:
X-Spam-Status: No, score=-0.103 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bys-pIhMEcXj for <acme@ietfa.amsl.com>; Thu, 14 Jan 2016 07:27:49 -0800 (PST)
Received: from umbriel.devever.net (umbriel.devever.net [149.202.51.241]) by ietfa.amsl.com (Postfix) with ESMTP id 063A81B3582 for <acme@ietf.org>; Thu, 14 Jan 2016 07:27:49 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id 247B91C13C for <acme@ietf.org>; Thu, 14 Jan 2016 16:27:48 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= user-agent:content-disposition:content-type:content-type :mime-version:message-id:subject:subject:from:from:date:date :received:received; s=mimas; t=1452785268; x=1470974629; bh=ynMF A9TwtKTXCmh0ciRHFTrb3FTKo9/AY2S3p96Krsc=; b=ApXVfrfx/hAQNYAckYgw QduPiG4SbFf5isehuzNIFL9SDw5jYJTadTLapjvCXcUm2/IVI5PN5pEE/AWbZiKq FvgeVrt0GnUGaFw578OP1GSwFJAsjUIpBTSX0+sdnUQrU8+Ou7QclbT1WwDiFL4T v7r6Fqb7hsSl0aUz3TyVhUece+cHqN64HyB+Q5fpIOWP3+ExjGj81uXYns0Bhn6+ 2bFTM4+gFe2g62FkqHDUTIJWDBCo2pq0EPhNA6jyvS6+yZnxFqh9cWLBnKw7ccun T5xt1TEQtLIxD9eMw5rSBruvux+d9LtjLOpte7VfrnAoRElZ9H76xEcM/L+e67u+ Cw==
Received: from umbriel.devever.net ([127.0.0.1]) by localhost (umbriel.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id TrHmq4xHWxpz for <acme@ietf.org>; Thu, 14 Jan 2016 16:27:48 +0100 (CET)
Received: from andover (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with SMTP id E3D7C1C13B for <acme@ietf.org>; Thu, 14 Jan 2016 16:27:47 +0100 (CET)
Date: Thu, 14 Jan 2016 15:27:47 +0000
From: Hugo Landau <hlandau@devever.net>
To: acme@ietf.org
Message-ID: <20160114152747.GA28898@andover>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/UNCH86fmBaE8ceRxWTHvQng_bYM>
Subject: [Acme] Revoking certificates issued by an unknown ACME server
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jan 2016 15:27:51 -0000
So while implementing revocation in my ACME client, I came to the following problem: how do you know which ACME server issued a certificate? Given an ACME server URL, one can obtain a certificate, but there is no reliable way to do the reverse. If you think about it, it might be desirable to be able to revoke a certificate possessing nothing but the certificate. For example, suppose you identify a misissued certificate for a domain you control. Under the current ACME protocol, if you can prove control of that domain, you can revoke the certificate; however, this requires you to know what server issued it. Not sure what the good solutions to this are. One would be to include the directory URL as an X.509 or OCSP extension, though that bloats the certificate/response. Another might be to reuse the OCSP responder URL, so that given an OCSP endpoint, one can obtain the ACME server URL, or at least one suitable for revocation. Something like: Normal OCSP Request: GET http://ocsp.example.com/ocsp/MFMwUTBPME0wSzAJ Revocation Location OCSP Request: GET http://ocsp.example.com/ocsp/acme-revoker/MFMwUTBPME0wSzAJ 302 Found Location: https://acme-staging.letsencrypt.org/directory Thoughts? Hugo Landau
- [Acme] Revoking certificates issued by an unknown… Hugo Landau
- Re: [Acme] Revoking certificates issued by an unk… Martin Thomson
- Re: [Acme] Revoking certificates issued by an unk… Hugo Landau
- Re: [Acme] Revoking certificates issued by an unk… Martin Thomson
- Re: [Acme] Revoking certificates issued by an unk… Salz, Rich