To me, the idea of shared secret at the time of order creation, is a good
protocol improvement.
From: Acme [mailto:acme-boun...@ietf.org] On Behalf Of Aaron Gable
Sent: Monday, October 24, 2022 3:24 PM
To: Ilari Liusvaara
Cc: acme@ietf.org
Subject: Re: [Acme] Potential race condition attack
The ACME domain validation protocol is only capable of asserting a single
statement: "the entity which controls this account private key also
controls this domain name".
If someone other than the original applicant also controls the same account
private key, the ACME protocol has no way to determi
On Fri, Oct 21, 2022 at 02:33:15PM -0700, David Weitzman wrote:
> The attack described below wouldn't work on Let's Encrypt because it
> hasn't implemented the order list feature yet, so this is more of a
> hypothetical attack for anyone who finishes implementing the standard.
Well, Let's Encrypt
8:38 PM
To: acme@ietf.org
Subject: Re: [Acme] Potential race condition attack via account pending order
lists
On Sat, Oct 22, 2022 at 05:48:35PM +0200, Sebastian Nielsen wrote:
> I don't see any problem with it since:
> 1: It requires possessing a account key with a valid authorization f
On Sun, Oct 23, 2022 at 09:48:59AM +0900, Seo Suchan wrote:
> as account key doesn't fly alone but with an acme client to use it, I think
> attacker already knows any order it does by just looking at clients log -
> even if it didn't get certificate private key because it's processing
> external CS
as account key doesn't fly alone but with an acme client to use it, I
think attacker already knows any order it does by just looking at
clients log - even if it didn't get certificate private key because it's
processing external CSR from somewhere else or so.
2022-10-23 오전 9:38에 Matt Palmer 이(
On Sat, Oct 22, 2022 at 05:48:35PM +0200, Sebastian Nielsen wrote:
> I don't see any problem with it since:
> 1: It requires possessing a account key with a valid authorization for the
> domain in question.
> In my eyes, one that posess such a key IS the valid domain owner.
That is an extremely od
Till: acme@ietf.org
Ämne: [Acme] Potential race condition attack via account pending order lists
The attack described below wouldn't work on Let's Encrypt because it hasn't
implemented the order list feature yet, so this is more of a hypothetical
attack for anyone who finishes
The attack described below wouldn't work on Let's Encrypt because it
hasn't implemented the order list feature yet, so this is more of a
hypothetical attack for anyone who finishes implementing the standard.
Scenario:
1) A hacker secretly stole a copy of an account private key months ago
2) This h
