Skip to main content

Extended Security Considerations for the Automatic Certificate Management Environment (ESecACME)
draft-fiebig-security-acme-01

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors Tobias Fiebig , Kevin Borgolte
Last updated 2020-03-12 (Latest revision 2019-09-09)
Replaces draft-fiebig-acme-esecacme
RFC stream (None)
Intended RFC status (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:

Abstract

Most Public Key Infrastructure X.509 (PKIX) certificates are issued via the ACME protocol. Recently, several attacks against domain validation (DV) have been published, including IP-use-after-free and (forced) on-path attacks. These attacks can often be mitigated by (selectively) requiring additional challenges, such as DNS validation, proof of ownership of a prior certificate, and by being more diligent in operating a certificate authority. This document provides a list of currently known attacks and describes mitigations and operational procedures to prevent issuing a certificate to an unauthorized party.

Authors

Tobias Fiebig
Kevin Borgolte

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)