Re: [Acme] Remove "Proof of possession" challenge?

Peter Eckersley <> Tue, 29 December 2015 00:34 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BC7EC1ACE32 for <>; Mon, 28 Dec 2015 16:34:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.312
X-Spam-Status: No, score=-4.312 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HWxSN95NnwRe for <>; Mon, 28 Dec 2015 16:34:21 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9AAE91ACE31 for <>; Mon, 28 Dec 2015 16:34:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=mail2; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=6mUl+EaEpY26QSQ/a7CmvywyxvnDd0UxFnYbxdsV02U=; b=ftNte3rPb4UzWiNoXS6H+FzRPh07TP3DOnRgt+YzIBVjqt3uVtnV6dbpsZGZSL/mL+XN+YQVp5Wq7q2HPm+9bQfVLEjr9JLFBZwv6szSFE8XAWHBLmZ4Yp1ODF6lARt9FJ9ruOp+TL/LjHr25MW7Z0AlTu124MS7MIYBO8PQjFM=;
Received: ; Mon, 28 Dec 2015 16:34:20 -0800
Date: Mon, 28 Dec 2015 16:34:20 -0800
From: Peter Eckersley <>
To: Richard Barnes <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <>
Cc: "" <>
Subject: Re: [Acme] Remove "Proof of possession" challenge?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Dec 2015 00:34:23 -0000

The current PoP challenge hasn't been implented, and I've heard some
concerns about its cryptographic safety (how does one ensure that the
POP signature can't be maliciously reused as the 32 byte server
signature in a DHE handshake?), though a few people have suggested
alternative versions, which involve either proving possession by signing
a CSR that contains a nonce field, or posting a manifest file at a
browser-valid HTTPS URL.  Such a manifest file could also potentially be used
to pin authority-to-use-ACME to specific account keys, perhaps on a
per-subdomain basis, which might be useful for large domains that (a)
don't want exposure to network attacks against DV and/or (b) have a lot
of subdomains with different applicable administrative constraints.

Those ideas would be proof-of-possession-02 if we were to pursue them; I
believe it's safe to remove proof-of-possession-01.

On Mon, Dec 28, 2015 at 04:57:57PM -0500, Richard Barnes wrote:
> Hey ACME folks,
> I just updated the editor's draft to change the name of the "proof of
> possession of a prior key" challenge to "proof-of-possession-01" (from
> "proofOfPossession-01").  But that got me thinking -- do we actually
> need this challenge?
> If I recall correctly, this was added to the initial version of the
> spec because some folks from Let's Encrypt thought that they would use
> it as an extra check for high-value domains with known, existing
> certificates.  However, they don't seem to have gotten around to
> implementing it.
> Is anyone aware of CAs out there that would use
> "proof-of-possession-01"?  That is, CAs that keep track of existing
> certificates and require an applicant for a domain with an existing
> cert to prove that they hold the corresponding private key?
> If not, maybe we can streamline the spec by removing that challenge
> type.  It can always get re-added in a future spec if there turns out
> to be a need.
> --Richard
> _______________________________________________
> Acme mailing list

Peter Eckersley                  
Chief Computer Scientist          Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993