Figured I would share this here as it may be of interest to many.
I'm hoping it will especially reach developers of web infrastructure software like servers and popular apps:
It gives a high-level intro to the ACME protocol, describes a 0-day found in the ACME ecosystem, and offers recommendations on choosing ACME clients and servers, based primarily on fundamental principles and experience.
Hopefully it will give you things to think about as you choose clients and servers, or even as you develop clients yourselves!
My main theses are basically, but coarsely, stated:
- ACME is really good and important.
- Choose a few (more than 1, less than ~5?) ACME CAs you trust and configure your client to use them (your client should support multiple for redundancy).
- Choose as few (ideally one) ACME clients as you can, but choose wisely.
- Web apps and infrastructure need to grow up and start enabling and automating TLS by default to fulfill the original vision. That means embedded ACME clients in all the things.
(My disclosure is mentioned on that page multiple times.)