Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tialaramex 7 hours ago

They don't need ACME to do that, ACME is just an automation standard - the same rules apply for getting a certificate via ACME such as 3.2.2.4.19 "Agreed upon change to website - ACME" as for the manual process 3.2.2.4.18 "Agreed upon change to website v2". The ACME version is just designed for machines to automate easily (and as a result wildly more common in use today)

And Multi-perspective only helps against an attacker who is merely able to influence a local route, if they can ensure all your perspectives see the same thing the attacker wins.

infogulch 5 hours ago | parent [-]

So there is a more general standard which the ACME protocol automates. Or perhaps another way to put it is that, the standard is written in a way that "just happens" to be nicely automatable.

Yes this is why multi-perspective is described as a "mitigation" above. Ideally, ACME issuers have a large array of perspectives with additional perspectives added frequently to foil planned attacks. But real BGP security is the actual solution to this problem.

tialaramex 4 hours ago | parent [-]

Not exactly. There's a document, the Baseline Requirements or BRs: https://cabforum.org/working-groups/server/baseline-requirem...

This document is essentially an agreement between the Trust Stores (largely the browser vendors such as Microsoft, Google, Apple, and Mozilla) on behalf of their Relying Parties (everybody) and the Certificate Authorities they choose to trust. It lays out the requirements on what the CAs may do and how they may do it, the numbers I quoted were sub-section numbers for what are sometimes called the "Blessed Methods" which these days are listed in those requirements - for how a CA shall check that say a certificate for news.ycombinator.com can be issued to this web server we're both using.

This isn't a "standard" really, any more than you'd say the Geneva Conventions were standards. It specifies (that "- ACME" is from the document, it's not my addition) that you can use some ACME protocol features to achieve the name confirming requirement but it also specifies some ways to do so manually. Last month quite a few of the older methods were finally stopped for new issuance (though existing confirmations for those methods will keep working for a few years if you have them). Stuff like "Find the landline phone number for the company in a government directory and call them" which I'm not sure really still made sense when the BRs were first agreed, let alone last month when it was finally removed.