Re: [Acme] Revocation via ACME using pre-signed artifact

Sebastian Nielsen <sebastian@sebbe.eu> Fri, 19 June 2020 17:30 UTC

Return-Path: <sebastian@sebbe.eu>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5011A3A0D33; Fri, 19 Jun 2020 10:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sebbe.eu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KhvX8scD7ULT; Fri, 19 Jun 2020 10:30:49 -0700 (PDT)
Received: from dns2.sebbe.eu (dns2.sebbe.eu [IPv6:2001:470:dff1:1:10::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 575983A0D2C; Fri, 19 Jun 2020 10:30:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sebbe.eu; s=root; h=Date:To:From:cc; bh=HC6/W7RmoHEXStaEii3nLlRAbyMpXeSeFVaoqcrDNZg=; b=N4iLUTeRLABdlh9KpJwPgqz9ekam0dnn8Zgdt3L/zWOM1YIGCAJswTqGwr3bPYvOOan5DIA3qe 5l0wZDjb1jaG/BatzfVqSZI5tQcy76lZaHRJ8/uY5WWh3YUtanM+nEz9RivrHbUs99oc7cxovr9fu 9rwGyDzWe/uHjJI21MuA=;
Received: from localhost ([127.0.0.1] helo=sebastian-desktop) by sebbe.eu with esmtp (Exim 4_94_RC0-31-83e8da8c0-XX) (envelope-from <sebastian@sebbe.eu>) id 1jmKql-001QUM-IR; Fri, 19 Jun 2020 19:30:47 +0200
Received: from [192.168.4.100] (helo=DESKTOPLO6CUS7) by sebbe.eu with esmtpa (Exim 4_94_RC0-31-83e8da8c0-XX) (envelope-from <sebastian@sebbe.eu>) id 1jmKql-001QUH-3Z; Fri, 19 Jun 2020 19:30:47 +0200
From: "Sebastian Nielsen" <sebastian@sebbe.eu>
To: "'Salz, Rich'" <rsalz=40akamai.com@dmarc.ietf.org>, "'Matt Palmer'" <mpalmer@hezmatt.org>, <acme@ietf.org>
Message-ID: <000a01d6465f$5eff5ec0$1cfe1c40$@sebbe.eu>
In-Reply-To: <E9A336E7-B8A9-42BC-AAE3-9598D35C5DC1@akamai.com>
References: <20200618232136.dusrpzvag62hofh4@hezmatt.org> <1d8652f0-45fc-162b-9add-1b0549004578@pinterjann.is> <20200619055624.b77gw6ya5ogwnqrf@hezmatt.org> <E9A336E7-B8A9-42BC-AAE3-9598D35C5DC1@akamai.com>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="----=_Part_124_394331270.1592587847512"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHvPj5zoqg+7mLblxbNgz5D3RhBcgJ4SpnbAn2qiJMCKsUF76h1OwqA
X-Encryption-Target: external
Date: Fri, 19 Jun 2020 19:30:47 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/VufJpLeeNaX8qhlH4hYnh2tU4WI>
Subject: Re: [Acme] =?utf-8?q?Revocation_via_ACME_using_pre-signed_artifact?=
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2020 17:31:02 -0000

What he talking about, is to make it possible, to get a "revocation blob"
from the ACME client, for a specific client or certificate.
This can then be locked securely inside a safe, or published with a
dead-mans-switch.

IF anything happens to the certificate, you just take out the securely
stored "revocation blob" OR let the dead-mans-switch expire, and then you
submit the revocation blob (or let another person do it - for example the
dead-man-switch service) to ACME server, which will then revoke the
associated certificate or all certificates under a account, or allow
choosing of a certificate.

The purpose is that this revocation blob should be limited in access such
that it can ONLY be used to revoke certificates - and maybe one-use only so
if you want to revoke another certificate, you have to use a fresh unused
blob, and thus that blob does not need to be stored super-securely, it can
be stored accessible enough that it can be used in an emergency.

The private key of the certicate or account needs to be stored securely
enough that nobody else gets it, else the certificate could be misused.

-----Ursprungligt meddelande-----
Från: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org> 
Skickat: den 19 juni 2020 19:12
Till: Matt Palmer <mpalmer@hezmatt.org>rg>; acme@ietf.org
Ämne: Re: [Acme] Revocation via ACME using pre-signed artifact

>    That's true if you want to revoke a certificate, but how do you
deactivate
    an account without access to the private key?

I don't think ACME should handle this.
 

_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme