[Acme] How does ACME handle domain reuse?

SJ Kissane <skissane@gmail.com> Thu, 26 March 2015 05:26 UTC

Return-Path: <skissane@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id D840C1ACD42 for <acme@ietfa.amsl.com>; Wed, 25 Mar 2015 22:26:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id mnEHwmvqTrqq for <acme@ietfa.amsl.com>; Wed, 25 Mar 2015 22:26:24 -0700 (PDT)
Received: from mail-qg0-x22e.google.com (mail-qg0-x22e.google.com [IPv6:2607:f8b0:400d:c04::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CBA21A89E0 for <acme@ietf.org>; Wed, 25 Mar 2015 22:26:24 -0700 (PDT)
Received: by qgfa8 with SMTP id a8so76214421qgf.0 for <acme@ietf.org>; Wed, 25 Mar 2015 22:26:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=TRdIWVs4ibzlE0tzo1j02milQWnSTqv4qFZLCVeRGI0=; b=d61QRJFu+Ard4W9TiXeLnKUNJ7hw7lC+466K5qtxuhW2D50c8klcqLLx6iDU67WD1p +gd8e9gp9mTCtJCW0ZQq5/KXhVVKNGZ3vPoPaN0eqZqfRs0UkBlaEdy9S0dv3jjHIYcg xGKc1MlTOCf0PvVT1OYYsIhUzky/jxJ6zCZeH1EBJulHLHBDp2hIr64iXg2nOJmGXKru VYUNiIoMQYbfPoebyug4KEeF1bVQrY+9p/XHNX0inA87AeGM/jKYu9cOA859QJWCBHmR YNeitBRgz4jF54EacT6Bk3WVOqEJqsOyvW9e9HtUlJJ4YkvWrV7oKVSxEArk2pEt8hju EL3A==
MIME-Version: 1.0
X-Received: by with SMTP id q5mr16770766qha.58.1427347583873; Wed, 25 Mar 2015 22:26:23 -0700 (PDT)
Received: by with HTTP; Wed, 25 Mar 2015 22:26:23 -0700 (PDT)
Date: Thu, 26 Mar 2015 16:26:23 +1100
Message-ID: <CACX070BWaf1MGMNkOO61JbrP4hP3P0PsMsR3Ozkad1eOHRrmoQ@mail.gmail.com>
From: SJ Kissane <skissane@gmail.com>
To: acme@ietf.org
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/pYx2tKO_dYM-k_kqbhL6jd32Zek>
X-Mailman-Approved-At: Fri, 03 Apr 2015 10:27:11 -0700
Subject: [Acme] How does ACME handle domain reuse?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 05:26:26 -0000


Sally registers the domain example.com to host her website. She uses
ACME to SSL protect it. Later, Sally loses interest in her website and
decides not to renew example.com, and it expires. Steve wants to start
a website - he notices that example.com is unregistered, so he
registers it and opens his own website on it. He then tries to use
ACME to SSL protect it. How should the ACME server distinguish this
(entirely legitimate) domain reuse scenario from a domain hijacking
attack? Steve doesn't know Sally, cannot rely on Sally to provide the
recovery token. Steve might be very disappointed to discover he can't
use ACME for SSL, simply because a previous registrant of the same
domain name has already used it. How will ACME protocol handle this?

One option is maybe the ACME server operator can scan WHOIS records to
detect changes in domain ownership. This still might pose a problem
for subdomains, e.g. if I allow other people to register under my
example.com, and then one of the subdomain users sets up ACME, and
then I want to use subdomain for something else, and then suppose I
cannot get the former subdomain assignee to hand over the recovery
token. Maybe we need a way in the protocol for a parent domain
controller to revoke control of the child domain. So if I control
example.com, and authenticate to ACME using example.com, I can then
make ACME revoke foo.example.com, even if I don't know the recovery
token for it.

Or possibly, the right solution is non-technical: ACME server operator
establish an out of band manual process to handle these scenarios.
But, even if you decide that is the answer, the RFC should still
discuss these scenarios, and require the ACME server operator to
establish a policy/business process to handle them.