You can already revoke with the cert key. On Mon, Apr 18, 2016 at 12:30 PM, Philipp Junghannß < teamhydro55...@gmail.com> wrote:
> In my opinion it would be also nice if you could revoke with the cert key > making it possible to remove the cert even if the acc is down. > Am 18.04.2016 18:15 schrieb "sheel.at" <pub...@sheel.at>: > >> Suppose an account key gets compromised. To prevent abuse, the owner can >> delete the account: >> >> https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md#deleting-an-account >> However, people having the key can simply change it without any effort: >> >> https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md#account-key-roll-over >> >> What happens if the attacker does so before the owner can react, or even >> before the owner notices anything of the breach? >> >> I suggest changing tha specs (and implementation) to keep old keys after >> changes for while. More specifically: >> * When an account key is rolled over, the old key is kept for eg. 30 days. >> * Multiple changes within this 30 days mean that there are multiple old >> keys. >> * Account deletion is possible with any of the saved keys, be it old or >> new. >> * Everything else (other than account deletion) only accepts the new >> (newest) key. >> >> Related: >> The owner has no possibiliy to revoke certificates issued by the >> attacker. For proper uses, nuking all certs when deleting the account >> might be not what the users like, but for the attack scenarion... >> >> Related 2 (yeah, it's getting bothersome) >> If there is an "optional" certificate nuking when deleting accounts, the >> attacker could issue certificates and then delete the accountwithout >> destroying the certificates(the attacker!), to prevent the real owner >> from destroying the certificates. Meaning, a "partially" deleted account >> has to stay around for ... as long as there are non-expired >> certificates?, just for the possibility that someone wants to delete the >> rest too. (But without being useful for anything else other than deleting) >> >> ... >> I'm rather new to the Let'sEncrypt internals, so if I missed the fact >> that there is a solution already, please forgive me. >> >> Otherwise, sorry, I know spec'ing and implementing this would be >> annoying. But without this, the possibility for deleting an account key >> is not particularly useful. >> >> >> _______________________________________________ >> Acme mailing list >> Acme@ietf.org >> https://www.ietf.org/mailman/listinfo/acme >> > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme > >
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme