| ▲ | TrueDuality 5 hours ago | ||||||||||||||||||||||||||||||||||
I think this is solving a real operational pain point, definitely one that I've experienced. My biggest hesitation here is the direct exposure of the managing account identity not that I need to protect the accounts key material, I already need to do that. While "usernames" are not generally protected to the same degree as credentials, they do matter and act as an important gate to even know about before a real attack can commence. This also provides the ability to associate random found credentials back to the sites you can now issue certificates for if they're using the same account. This is free scope expansion for any breach that occurs. I guarantee sites like Shodan will start indexing these IDs on all domains they look at to provide those reverse lookup services. | |||||||||||||||||||||||||||||||||||
| ▲ | liambigelow 2 hours ago | parent | next [-] | ||||||||||||||||||||||||||||||||||
CAA records including an accounturi already expose the account identity in the same manner, so I feel like that ship has already sailed somewhat (and I would prefer that the CAA and persist record formats match). | |||||||||||||||||||||||||||||||||||
| ▲ | krunck 5 hours ago | parent | prev | next [-] | ||||||||||||||||||||||||||||||||||
Exactly. They should provide the user with a list of UUIDs(or any other randomish ID tied to the actual account) that can be used in the accounturi URL for these operations. | |||||||||||||||||||||||||||||||||||
| ▲ | gsich 4 hours ago | parent | prev [-] | ||||||||||||||||||||||||||||||||||
The account is the same as you create in any acme client. I don't see potential for a reverse lookup. | |||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||