Re: [Acme] Revoking certificates issued by an unknown ACME server
Hugo Landau <hlandau@devever.net> Fri, 15 January 2016 06:26 UTC
Return-Path: <hlandau@devever.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D6261B29D2 for <acme@ietfa.amsl.com>; Thu, 14 Jan 2016 22:26:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QX1aemIvp7pO for <acme@ietfa.amsl.com>; Thu, 14 Jan 2016 22:26:51 -0800 (PST)
Received: from umbriel.devever.net (umbriel.devever.net [149.202.51.241]) by ietfa.amsl.com (Postfix) with ESMTP id 15B261B29D1 for <acme@ietf.org>; Thu, 14 Jan 2016 22:26:51 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id 36F811C13C; Fri, 15 Jan 2016 07:26:50 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= user-agent:in-reply-to:content-disposition:content-type :content-type:mime-version:references:message-id:subject:subject :from:from:date:date:received:received; s=mimas; t=1452839210; x=1471028571; bh=mqKyphkfYN1+xS0bT7RGwJJAOs1jFSVPZ2DVzaUJo/M=; b= MGTkvpUfMGxx4Kk37panhzUDmxlfJkkhagW9R5SjZPxYTcfCcen1lqSNyVlog+KP /h1XPGySbPZnQhPHZqQ3PSw9OPstihw4s5b3G3YsoqgNhokyawn3u0bqR2cWMgJ6 /2z678DWTv1rgGKmsbP03bgQiPSWgQ5k6WHGiDUVmu0Rm+NsIr3I6/Ek2hsTDXrx Mazu1ieumMzHusX9bY3Pd1vybXa1h8N98cIZPluOItCrdlUe2DyduUMQ2ZkCQLHN eYPIXldfXkh7pRT0F4LKHInFvzVPiN7ZkkAjvvHhLC1nhFUVBZe5j+Z+Oz1iU0Hq UAIKNd6WyQB4BkIikikMZA==
Received: from umbriel.devever.net ([127.0.0.1]) by localhost (umbriel.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id vjW47UeU5KpI; Fri, 15 Jan 2016 07:26:50 +0100 (CET)
Received: from andover (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with SMTP id ED0671C005; Fri, 15 Jan 2016 07:26:49 +0100 (CET)
Date: Fri, 15 Jan 2016 06:26:49 +0000
From: Hugo Landau <hlandau@devever.net>
To: Martin Thomson <martin.thomson@gmail.com>
Message-ID: <20160115062649.GA21476@andover>
References: <20160114152747.GA28898@andover> <CABkgnnWjCbLjRhLH=riyWfCRxBX-kLVfAgTqVjrRR-8bMVCMkw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABkgnnWjCbLjRhLH=riyWfCRxBX-kLVfAgTqVjrRR-8bMVCMkw@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/cb3xvQ0u2Y2NWGAIxTVK6gb0YUc>
Cc: acme@ietf.org
Subject: Re: [Acme] Revoking certificates issued by an unknown ACME server
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2016 06:26:53 -0000
This isn't sanely automatable. It's unlikely that this will pose an issue if a human wants to figure out the issuing server. But as things stand to automate things you'd need to maintain a database of CAs to directory URLs. On Fri, Jan 15, 2016 at 01:55:42PM +1100, Martin Thomson wrote: > Is there any reason why you couldn't rely on a search engine for this? > That is, search for "acme endpoint <intermediate CN>" and thereby > arrive at a value. That's the "low tech" alternative to packing the > URL in the ee or intermediate cert. > > On 15 January 2016 at 02:27, Hugo Landau <hlandau@devever.net> wrote: > > So while implementing revocation in my ACME client, I came to the > > following problem: how do you know which ACME server issued a > > certificate? > > > > Given an ACME server URL, one can obtain a certificate, but there is no > > reliable way to do the reverse. > > > > If you think about it, it might be desirable to be able to revoke a > > certificate possessing nothing but the certificate. For example, suppose > > you identify a misissued certificate for a domain you control. Under the > > current ACME protocol, if you can prove control of that domain, you can > > revoke the certificate; however, this requires you to know what server > > issued it. > > > > Not sure what the good solutions to this are. One would be to include > > the directory URL as an X.509 or OCSP extension, though that bloats the > > certificate/response. Another might be to reuse the OCSP responder URL, > > so that given an OCSP endpoint, one can obtain the ACME server URL, or > > at least one suitable for revocation. > > > > Something like: > > > > Normal OCSP Request: > > GET http://ocsp.example.com/ocsp/MFMwUTBPME0wSzAJ > > > > > > Revocation Location OCSP Request: > > GET http://ocsp.example.com/ocsp/acme-revoker/MFMwUTBPME0wSzAJ > > > > 302 Found > > Location: https://acme-staging.letsencrypt.org/directory > > > > > > Thoughts? > > > > Hugo Landau > > > > _______________________________________________ > > Acme mailing list > > Acme@ietf.org > > https://www.ietf.org/mailman/listinfo/acme
- [Acme] Revoking certificates issued by an unknown… Hugo Landau
- Re: [Acme] Revoking certificates issued by an unk… Martin Thomson
- Re: [Acme] Revoking certificates issued by an unk… Hugo Landau
- Re: [Acme] Revoking certificates issued by an unk… Martin Thomson
- Re: [Acme] Revoking certificates issued by an unk… Salz, Rich