[Acme] Turning off old/insecure challenge types
Josh Aas <josh@letsencrypt.org> Sat, 14 November 2015 19:33 UTC
Return-Path: <josh@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54C521B29B0 for <acme@ietfa.amsl.com>; Sat, 14 Nov 2015 11:33:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.169
X-Spam-Level:
X-Spam-Status: No, score=-1.169 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yiyt8cBFt_F7 for <acme@ietfa.amsl.com>; Sat, 14 Nov 2015 11:33:41 -0800 (PST)
Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com [IPv6:2607:f8b0:4003:c01::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F20381B29AA for <acme@ietf.org>; Sat, 14 Nov 2015 11:33:40 -0800 (PST)
Received: by obbnk6 with SMTP id nk6so96483066obb.2 for <acme@ietf.org>; Sat, 14 Nov 2015 11:33:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:date:message-id:subject:from:to:content-type; bh=8gwTJhwrDTBhij0ilrT8hyQupIfPy21Le1VxT8H1tgA=; b=X9VPxQAFJoBthfvzPg4tsatfZP74fSj5MfsKIJbuYYLcfbi1r0RNavsHCezC2eEWbd yZp+QrLaIg8TEinYk7HUVZZbn2zhoy+d4A6BzLwTv1eUV51ycpA+Vg98roN3Or6E5TPf k3cT+t735prSuzIQiWvJzGueZZjUTPWsurOJw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=8gwTJhwrDTBhij0ilrT8hyQupIfPy21Le1VxT8H1tgA=; b=Lo8MNXJhgWAkYYp2PkZqT4pc6rOPHA4qdfvZoL/cGhTXoPkLIynVE6cEvJE64tGd7k TrKl8BqAPni9Yn6UT3CdfmLK46FsLLHKMpIXxcbUfWL0T+Npm/+Zj36B8dzS3ufAAop/ SDFcaConPpyvxxiEIZ/9/6ZnucQEH4mCHKzUum0VG4UxuCuuvSkRBfd+tsGEoe/5gZEh cJG/TLgY1A/FC87wOjfYIEFlfew5YWH4rzpxdEkaKhchDCDKvTLgS21woaW3gCjxVn4l gf85GkxEiBQ8/Sb8JDQkp75RqkPVubf4/CaCgcJIs+2KNN3bodute1kzUnepBN1+jl3u J4og==
X-Gm-Message-State: ALoCoQkYvJ+nC3tCYlwEr4L+X7Y/dy9PUdzKTgu1YpQh9CbpN5o0eIs8PFuyg/64FmsobPrKtGH9
MIME-Version: 1.0
X-Received: by 10.60.117.164 with SMTP id kf4mr16856454oeb.46.1447529620420; Sat, 14 Nov 2015 11:33:40 -0800 (PST)
Received: by 10.60.167.36 with HTTP; Sat, 14 Nov 2015 11:33:40 -0800 (PST)
Date: Sat, 14 Nov 2015 13:33:40 -0600
Message-ID: <CAJH38kEg9Hrd3nnZ-pcn+kwDTUS8c+CXUeYJaOkXfALkLQVmcg@mail.gmail.com>
From: Josh Aas <josh@letsencrypt.org>
To: acme@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/SeV8tlnDggwcFZAO_3j22EjjC4A>
Subject: [Acme] Turning off old/insecure challenge types
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Nov 2015 19:33:42 -0000
Let's Encrypt will no longer be offering the "simpleHttp" and "dvsni" challenges as of Thursday, November 18. If your client depends on these challenges, you will need to update to the "http-01" or "tls-sni-01" challenges by that date, or your client will no longer work. The current version of the official Let's Encrypt client supports the new challenges. This change is required because these older challenges have a signature reuse vulnerability, reported on the IETF ACME list by Andrew Ayer several weeks ago. Also, please note: The "tls-sni-01" challenge currently offered by Let's Encrypt is currently not compatible with the "tls-sni-01" challenge defined in draft-ietf-acme-acme-01. It lacks the "n" parameter. This is a known issue, and will be resolved once the IETF ACME working group decides whether to keep the "n" parameter. -- Josh Aas Executive Director Internet Security Research Group