[ACMEv2] For policy locked domains - attempt to request additional authorizations rather than hard-failing

I have a suggestion for the ACMEv2 endpoint.
And that is, when a domain is locked due to issuance policy due to Lets Encrypt's own blacklist, I Think it should try to solve that using authorizations instead, and also augument this validation with the CAA records.

There are a few cases here on let's encrypt, where a owner of a "high value" domain wants to secure additional domains and gets blocked by the policy and needs to do a "manual validation" with the LE personell.

A better idea is to perform these validations automatically instead.

Example (Yes, I know the example is very "stupid" but imagine a lesser known domain):
Lets say im the owner of paypal.com and wants to create a certificate of paypal.co.cc
When I create the authorization for paypal.co.cc, it could also in ACMEv2, request validation for paypal.com aswell. If that succeeds it could "bypass" the policy block.

This needs Another format of the blacklist:
Currently, its just X where X is an blacklisted Word.

The blacklist could be instead a key-value pair, where X is the blacklisted Word, and Y is a comma-separated list of owner domains that "owns" this Word. Validation must succeed for all "owner domains" that own a specific blacklisted Word for a issuance to complete.
If there is multiple blacklisted Words inside a domain name, validations must be done for all those additional names.

Of course, it should check the CAA for these "owner domains" too, and if CAA prohibits issuance, then it should hard-fail.

One example is this:

Here it could instead, in ACMEv2, of hard-failing, request authorization for walmart.com and if that authorization succeeds, then you are permitted to continue despite the policy block.

This is not a completely accurate description of what happens. We never do domain validation manually. For most high-risk domains, we simply will not issue. Occasionally someone will bring to our attention a domain that Let's Encrypt shouldn't consider high-risk, and our security officers will evaluate it and potentially remove it.

The other issue with your proposal is that there is not necessarily any relationship between two domains, just because they happen to share some labels, as in the case of walmart.com and walmart.com.ar.

At any rate, I appreciate the ideas! Thanks for participating. :slight_smile:

1 Like

I know that there is not any relationship because they share a label. My idea was to use the domain validation to actually verify you are the owner of the “risk” that the “high risk” domain induces.

I know that some domains in the policy are false positives (for example, a Three-letter Word might both refer to a US bank but also be a acronym for something else in a Another language) and then I have seen that you remove the blockage right away.

But for example in this walmart case, I have seen that phrase sometimes that they will get instructions on how to proceed in private message because the blacklist was not a false positive.
I tought you then proceeded to verify that walmart.com.ar did really own the trademark for walmart via manual phone verification, and then added an exception for them in the policy. And my idea was that since the trademark that a domain blacklist is meant to protect also normally has a website, you could use that to in an automatic fashion, verify that they do own the domain that “induces” the risk.

Because, if you really do own paypal.com and can verify it, shouldn’t you be able to issue for anything that contains the Word “paypal”?

I think you are misunderstanding the state of affairs completely here. The usual case is that people with a risk domain are NOT owners of the high-risk name.

High-risk names usually get certificates from “classic” CAs which are also more likely to be EV certificates.

Because think about it, the owner of paypal.com is coming to LE to get a cert for paypal.co.cc? That seems highly unlikely.

I just took paypal as an example. There are a few “less known” words that are correctly on the risk list, but where the legal owners of the Word/trademark wants a LE certificate.

My tought is that today LE isn’t that big of useful for the “big Sharks” on the internet, but when wildcard certs come, I Think even larger Sharks on the net will ditch their regular CA for LE, especially with the combined wildcard+UCC and third-level subdomain support which is something that doesn’t exist at regular CA’s.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.