Limit notAfter date if whois shows domain will expire soon?

On the ACME mailing list last year, someone brought up How does ACME handle domain reuse? It was suggested that lowering friction for domain reuse would inherently also “enable attackers,” so you just have to wait for the old certificate to expire.

But when verifying someone owns a domain, should Boulder not at the very least get an upper ceiling on how long someone might maintain control of the domain? If the Registry Expiry Date is less than 90 days in the future, it should probably limit the certificate’s validity period (and that of all subdomain certs), so that it’s easier for whoever snatches up the domain next to get a new cert issued without hassle. (And possibly warn the site owner.)

At most you might need to confirm currentExpiryDate is not-sooner-than previouslySeenExpiryDate to be sure it wasn’t tampered with.

I mean, if the future of the web is encrypting everything, even shitty DNS parked advertising farms will need to be able to get certificates with minimal delay.

I may be misunderstanding, but generally the new owner would have no difficulty getting a new cert for the domain. They have control of the domain, so could get a new certificate.

You could say there is a slight security risk in that the “old owner” still has a valid certificate ( for a max of 90 days) which you can’t revoke as you don’t have their private key. I don’t see any issue getting a new cert though.

Oh. Previously it was stated proofOfPossession or waiting for it to expire would be required in cases like this. But looking at more recent discussions I guess that plan was never actually put into practice (yet).

1 Like

Just for the record. This can be very annoying for people like me who have an auto renewal for their domains. On the expiry date of my domains, my registrar direct debits my bank account and renew them for a year.