Re: [Acme] Validation Vulnerabilities

"Salz, Rich" <rsalz@akamai.com> Fri, 05 June 2015 15:40 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3AB61B3118 for <acme@ietfa.amsl.com>; Fri, 5 Jun 2015 08:40:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.211
X-Spam-Level:
X-Spam-Status: No, score=-6.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X6IP_wT_Q2sP for <acme@ietfa.amsl.com>; Fri, 5 Jun 2015 08:40:35 -0700 (PDT)
Received: from prod-mail-xrelay02.akamai.com (prod-mail-xrelay02.akamai.com [72.246.2.14]) by ietfa.amsl.com (Postfix) with ESMTP id C9B271B311C for <acme@ietf.org>; Fri, 5 Jun 2015 08:40:35 -0700 (PDT)
Received: from prod-mail-xrelay02.akamai.com (localhost [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id C2D4F28711; Fri, 5 Jun 2015 15:40:34 +0000 (GMT)
Received: from prod-mail-relay06.akamai.com (prod-mail-relay06.akamai.com [172.17.120.126]) by prod-mail-xrelay02.akamai.com (Postfix) with ESMTP id 0B1EA286AA; Fri, 5 Jun 2015 15:40:33 +0000 (GMT)
Received: from email.msg.corp.akamai.com (ustx2ex-cas3.msg.corp.akamai.com [172.27.25.32]) by prod-mail-relay06.akamai.com (Postfix) with ESMTP id E64552026; Fri, 5 Jun 2015 15:40:32 +0000 (GMT)
Received: from USTX2EX-DAG1MB2.msg.corp.akamai.com (172.27.27.102) by ustx2ex-dag1mb4.msg.corp.akamai.com (172.27.27.104) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Fri, 5 Jun 2015 10:40:32 -0500
Received: from USTX2EX-DAG1MB2.msg.corp.akamai.com ([172.27.6.132]) by ustx2ex-dag1mb2.msg.corp.akamai.com ([172.27.6.132]) with mapi id 15.00.1076.000; Fri, 5 Jun 2015 10:40:32 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: moparisthebest <admin@moparisthebest.com>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] Validation Vulnerabilities
Thread-Index: AQHQn4+w4SxHfnQjIEq+i9prAzaieZ2eC+zQ
Date: Fri, 05 Jun 2015 15:40:31 +0000
Message-ID: <3face5aa3c4e4c7f93b69a34e9200bb3@ustx2ex-dag1mb2.msg.corp.akamai.com>
References: <55719D59.6050800@moparisthebest.com>
In-Reply-To: <55719D59.6050800@moparisthebest.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.39.68]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/o61v9ywzPKPq-uQlKT7H8kJGVKc>
Subject: Re: [Acme] Validation Vulnerabilities
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2015 15:40:38 -0000

FWIW, IMHO, and whatever other fla's are appropriate:

I think it makes sense to at least detail the attacks, since relying on DNS is one of the methods supported by ACME.

> I cross-posted this from
> https://github.com/letsencrypt/acme-spec/issues/131

Can the people who maintain this particular github repo, put up some notice in BIG BOLD FLASHING LETTERS that the proper place for discussion is on this mailing list?

Thanks.