Re: [Acme] Revocation via ACME using pre-signed artifact
Sebastian Nielsen <sebastian@sebbe.eu> Fri, 19 June 2020 17:30 UTC
Return-Path: <sebastian@sebbe.eu>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5011A3A0D33; Fri, 19 Jun 2020 10:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sebbe.eu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KhvX8scD7ULT; Fri, 19 Jun 2020 10:30:49 -0700 (PDT)
Received: from dns2.sebbe.eu (dns2.sebbe.eu [IPv6:2001:470:dff1:1:10::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 575983A0D2C; Fri, 19 Jun 2020 10:30:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sebbe.eu; s=root; h=Date:To:From:cc; bh=HC6/W7RmoHEXStaEii3nLlRAbyMpXeSeFVaoqcrDNZg=; b=N4iLUTeRLABdlh9KpJwPgqz9ekam0dnn8Zgdt3L/zWOM1YIGCAJswTqGwr3bPYvOOan5DIA3qe 5l0wZDjb1jaG/BatzfVqSZI5tQcy76lZaHRJ8/uY5WWh3YUtanM+nEz9RivrHbUs99oc7cxovr9fu 9rwGyDzWe/uHjJI21MuA=;
Received: from localhost ([127.0.0.1] helo=sebastian-desktop) by sebbe.eu with esmtp (Exim 4_94_RC0-31-83e8da8c0-XX) (envelope-from <sebastian@sebbe.eu>) id 1jmKql-001QUM-IR; Fri, 19 Jun 2020 19:30:47 +0200
Received: from [192.168.4.100] (helo=DESKTOPLO6CUS7) by sebbe.eu with esmtpa (Exim 4_94_RC0-31-83e8da8c0-XX) (envelope-from <sebastian@sebbe.eu>) id 1jmKql-001QUH-3Z; Fri, 19 Jun 2020 19:30:47 +0200
From: Sebastian Nielsen <sebastian@sebbe.eu>
To: "'Salz, Rich'" <rsalz=40akamai.com@dmarc.ietf.org>, 'Matt Palmer' <mpalmer@hezmatt.org>, acme@ietf.org
Message-ID: <000a01d6465f$5eff5ec0$1cfe1c40$@sebbe.eu>
In-Reply-To: <E9A336E7-B8A9-42BC-AAE3-9598D35C5DC1@akamai.com>
References: <20200618232136.dusrpzvag62hofh4@hezmatt.org> <1d8652f0-45fc-162b-9add-1b0549004578@pinterjann.is> <20200619055624.b77gw6ya5ogwnqrf@hezmatt.org> <E9A336E7-B8A9-42BC-AAE3-9598D35C5DC1@akamai.com>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----=_Part_124_394331270.1592587847512"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHvPj5zoqg+7mLblxbNgz5D3RhBcgJ4SpnbAn2qiJMCKsUF76h1OwqA
X-Encryption-Target: external
Date: Fri, 19 Jun 2020 19:30:47 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/VufJpLeeNaX8qhlH4hYnh2tU4WI>
Subject: Re: [Acme] Revocation via ACME using pre-signed artifact
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2020 17:31:02 -0000
What he talking about, is to make it possible, to get a "revocation blob" from the ACME client, for a specific client or certificate. This can then be locked securely inside a safe, or published with a dead-mans-switch. IF anything happens to the certificate, you just take out the securely stored "revocation blob" OR let the dead-mans-switch expire, and then you submit the revocation blob (or let another person do it - for example the dead-man-switch service) to ACME server, which will then revoke the associated certificate or all certificates under a account, or allow choosing of a certificate. The purpose is that this revocation blob should be limited in access such that it can ONLY be used to revoke certificates - and maybe one-use only so if you want to revoke another certificate, you have to use a fresh unused blob, and thus that blob does not need to be stored super-securely, it can be stored accessible enough that it can be used in an emergency. The private key of the certicate or account needs to be stored securely enough that nobody else gets it, else the certificate could be misused. -----Ursprungligt meddelande----- Från: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org> Skickat: den 19 juni 2020 19:12 Till: Matt Palmer <mpalmer@hezmatt.org>; acme@ietf.org Ämne: Re: [Acme] Revocation via ACME using pre-signed artifact > That's true if you want to revoke a certificate, but how do you deactivate an account without access to the private key? I don't think ACME should handle this. _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
- [Acme] Revocation via ACME using pre-signed artif… Matt Palmer
- Re: [Acme] Revocation via ACME using pre-signed a… Jannis Pinter
- Re: [Acme] Revocation via ACME using pre-signed a… Matt Palmer
- Re: [Acme] Revocation via ACME using pre-signed a… Salz, Rich
- Re: [Acme] Revocation via ACME using pre-signed a… Sebastian Nielsen
- Re: [Acme] Revocation via ACME using pre-signed a… Roland Shoemaker
- Re: [Acme] Revocation via ACME using pre-signed a… Matt Palmer