[Acme] Threat model: Evil CAs with limited or no scope?
Jann Horn <firstname.lastname@example.org> Sun, 19 April 2015 15:40 UTC
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E44EA1A8993 for <email@example.com>; Sun, 19 Apr 2015 08:40:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Status: No, score=0.788 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([184.108.40.206]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hk9rMU-FHtoa for <firstname.lastname@example.org>; Sun, 19 Apr 2015 08:40:41 -0700 (PDT)
Received: from thejh.net (thejh.net [IPv6:2a03:4000:2:1b9::1]) by ietfa.amsl.com (Postfix) with ESMTP id 59D3D1A8999 for <email@example.com>; Sun, 19 Apr 2015 08:40:41 -0700 (PDT)
Received: from pc.thejh.net (thejh.net [220.127.116.11]) by thejh.net (Postfix) with ESMTPA id 56111180C9B; Sun, 19 Apr 2015 17:40:40 +0200 (CEST)
Date: Sun, 19 Apr 2015 17:40:39 +0200
From: Jann Horn <firstname.lastname@example.org>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2fHTh5uZTiUOsy+g"
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: [Acme] Threat model: Evil CAs with limited or no scope?
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:email@example.com?subject=unsubscribe>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:firstname.lastname@example.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Apr 2015 15:40:43 -0000
After a look at the ACME spec, this seems to me like it might be a small problem: The owner of example.org wants to obtain a certificate for example.org from a malicious organization that claims to be a CA, but isn't one, or that is a CA with a scope that is limited somehow (e.g. because its certificate is not accepted by all browsers). The malicious organization wants to obtain a certificate for example.org for its own evil purposes that is less restricted than certificates it could issue on its own. To archieve that, it registers at a more privileged CA and poses as the owner of example.org. When the real CA asks the malicious CA to confirm its identity using simpleHttps or DVSNI, the malicious CA simply forwards the challenge to the victim ACME client. Did I miss something in the spec, or would that work? I'm not sure how important this is, but would it maybe be a good idea to let the ACME client prefix or hash together the provisioned values with the identity (domain name or so) of the CA it's talking to?