-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hopefully you've seen the developing description of the protocol here:
https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.md That sounds like it will soon make its way into IETF for a broader discussion. I don't see an explicit mechanism that can deal with poisoning, but it might be that they check a few independent network views of the record they're verifying. I'm CC'ing Richard who has done a lot of the thinking to date... Richard, not sure if you can post to libtech but happy to intermediate. best, Joe On 11/19/14, 10:13 AM, Richard Brooks wrote: > Just looked at this: > > https://letsencrypt.org/howitworks/technology/ > > The EFF's new CA to make things cheap and easy for installing > certs. I like the goal. > > What I do not get from the description is how they really verify > that I legitimately own the site. If I should manage to reroute > some traffic and do DNS cache poisoning on a web-site address, > wouldn't the system accept my web-site as valid? It seems like they > are accepting the fact that you can reach the site using DNS > information (which is not secured) as proof of legitimacy. > > Or is there something I am missing? > - -- Joseph Lorenzo Hall Chief Technologist Center for Democracy & Technology 1634 I ST NW STE 1100 Washington DC 20006-4011 (p) 202-407-8825 (f) 202-637-0968 j...@cdt.org PGP: https://josephhall.org/gpg-key fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) iQIcBAEBCAAGBQJUbNY6AAoJEF+GaYdAqahx2moQAIvw0CZH7N4R5PYrZNvlVQXM AOplSIHg0bmI+6iZzFy5yMnEwGPc22cKKGUIFTlu589nZo7oGHy5AnqAFT0+mmsn Yd2Jp2H3vz2kIU0mG9+AQmFFtHAmekE6jKGyN5lUB1liO81yWYSlpaEHzfW7l+ze mPnQTEqaZiwKxymzL/NCDs5CFOqd2L55cYu8CNLGIzFxOREEMFoQxRrv69H0ZVmh rDgGq+cuXdXGa06c3GXnvUPo4dieGnU06WyQFM8jxqzy0Jfae/5HAZmgP98SrYjv fLF77o7ns0Y2BAOq1jaG9Vjj3rBdcN89efZqvoTMjgdpXPeVlKIrPhzRPIuRMIdG pK6stBSxeaU6p3zvIG8TaYrw0Mw9Zfbh0ci6G5XdKBb4GNYrkDZJpW6r86WmmeBa /MSBitEpFtJCtFaBWoxaRF8ByD2JKvHEDKqaA58124R9X1iw2d7Z4/8oJjRHWusR QbEAs8GmgSHtJmi30++QQSSlSnvrCjmovYQTfsVVGs7ffVe3TnNbqC972RKhlcCQ aRqMY2YBuV/1tcQM+GCajhteZ1mud65XpCrOBmVsfXlVuqWKU/Lqi/XyiU0I33hL B9kIUlKW5tqy7rv855u5GYJj8QSJfm7KoptpBeJ03uuJ5G8m1+ZS8FtxSKNG7XUD WftNiLytARXgDsz5BTg5 =LUh0 -----END PGP SIGNATURE----- -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
