Re: [Acme] Revoking certificates issued by an unknown ACME server

Hugo Landau <hlandau@devever.net> Fri, 15 January 2016 06:26 UTC

Return-Path: <hlandau@devever.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D6261B29D2 for <acme@ietfa.amsl.com>; Thu, 14 Jan 2016 22:26:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QX1aemIvp7pO for <acme@ietfa.amsl.com>; Thu, 14 Jan 2016 22:26:51 -0800 (PST)
Received: from umbriel.devever.net (umbriel.devever.net [149.202.51.241]) by ietfa.amsl.com (Postfix) with ESMTP id 15B261B29D1 for <acme@ietf.org>; Thu, 14 Jan 2016 22:26:51 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id 36F811C13C; Fri, 15 Jan 2016 07:26:50 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= user-agent:in-reply-to:content-disposition:content-type :content-type:mime-version:references:message-id:subject:subject :from:from:date:date:received:received; s=mimas; t=1452839210; x=1471028571; bh=mqKyphkfYN1+xS0bT7RGwJJAOs1jFSVPZ2DVzaUJo/M=; b= MGTkvpUfMGxx4Kk37panhzUDmxlfJkkhagW9R5SjZPxYTcfCcen1lqSNyVlog+KP /h1XPGySbPZnQhPHZqQ3PSw9OPstihw4s5b3G3YsoqgNhokyawn3u0bqR2cWMgJ6 /2z678DWTv1rgGKmsbP03bgQiPSWgQ5k6WHGiDUVmu0Rm+NsIr3I6/Ek2hsTDXrx Mazu1ieumMzHusX9bY3Pd1vybXa1h8N98cIZPluOItCrdlUe2DyduUMQ2ZkCQLHN eYPIXldfXkh7pRT0F4LKHInFvzVPiN7ZkkAjvvHhLC1nhFUVBZe5j+Z+Oz1iU0Hq UAIKNd6WyQB4BkIikikMZA==
Received: from umbriel.devever.net ([127.0.0.1]) by localhost (umbriel.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id vjW47UeU5KpI; Fri, 15 Jan 2016 07:26:50 +0100 (CET)
Received: from andover (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with SMTP id ED0671C005; Fri, 15 Jan 2016 07:26:49 +0100 (CET)
Date: Fri, 15 Jan 2016 06:26:49 +0000
From: Hugo Landau <hlandau@devever.net>
To: Martin Thomson <martin.thomson@gmail.com>
Message-ID: <20160115062649.GA21476@andover>
References: <20160114152747.GA28898@andover> <CABkgnnWjCbLjRhLH=riyWfCRxBX-kLVfAgTqVjrRR-8bMVCMkw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CABkgnnWjCbLjRhLH=riyWfCRxBX-kLVfAgTqVjrRR-8bMVCMkw@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/cb3xvQ0u2Y2NWGAIxTVK6gb0YUc>
Cc: acme@ietf.org
Subject: Re: [Acme] Revoking certificates issued by an unknown ACME server
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2016 06:26:53 -0000

This isn't sanely automatable.

It's unlikely that this will pose an issue if a human wants to figure
out the issuing server. But as things stand to automate things you'd
need to maintain a database of CAs to directory URLs.

On Fri, Jan 15, 2016 at 01:55:42PM +1100, Martin Thomson wrote:
> Is there any reason why you couldn't rely on a search engine for this?
>  That is, search for "acme endpoint <intermediate CN>" and thereby
> arrive at a value.  That's the "low tech" alternative to packing the
> URL in the ee or intermediate cert.
> 
> On 15 January 2016 at 02:27, Hugo Landau <hlandau@devever.net> wrote:
> > So while implementing revocation in my ACME client, I came to the
> > following problem: how do you know which ACME server issued a
> > certificate?
> >
> > Given an ACME server URL, one can obtain a certificate, but there is no
> > reliable way to do the reverse.
> >
> > If you think about it, it might be desirable to be able to revoke a
> > certificate possessing nothing but the certificate. For example, suppose
> > you identify a misissued certificate for a domain you control. Under the
> > current ACME protocol, if you can prove control of that domain, you can
> > revoke the certificate; however, this requires you to know what server
> > issued it.
> >
> > Not sure what the good solutions to this are. One would be to include
> > the directory URL as an X.509 or OCSP extension, though that bloats the
> > certificate/response. Another might be to reuse the OCSP responder URL,
> > so that given an OCSP endpoint, one can obtain the ACME server URL, or
> > at least one suitable for revocation.
> >
> > Something like:
> >
> >   Normal OCSP Request:
> >   GET http://ocsp.example.com/ocsp/MFMwUTBPME0wSzAJ
> >
> >
> >   Revocation Location OCSP Request:
> >   GET http://ocsp.example.com/ocsp/acme-revoker/MFMwUTBPME0wSzAJ
> >
> >   302 Found
> >   Location: https://acme-staging.letsencrypt.org/directory
> >
> >
> > Thoughts?
> >
> > Hugo Landau
> >
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme