New verify option email challenge

Hello,

Many hosts don’t support .well-known folder and DNS zone editor. So why
don’t we add a new verification method like email verification.

Thanks.

E-mail verification can’t be easily automated, which is one of Let’s Encrypt’s goals. They do have a DNS verification option that can be used if the webroot or standalone methods are not possible.

This issue with .well-known has been brought up many times, feel free to search for other topics covering the same issue.

Part of the Let’s Encrypt mission is to bring all of the disparate methodologies into a more cohesive, consistent realm for the automatic issuance of certificates. The service is being built around an in-progress IETF standard - watering this down to serve hosts that are unwilling to provide standards-compliant services would be counter to that goal. I wouldn’t want to host anything with a provider who cannot be bothered to comply with internet standards, and would ‘vote with my wallet’ on that one, electing to use a provider who does.

...and a whole lot more do support at least one of these. Email validation has been discussed extensively in the past (the search feature is your friend), and isn't going to be implemented. If your host doesn't work, there are hundreds of others that will.

Hi @mrtroll,

There have been a number of great answers to your question (Thanks everyone!) but I wanted to add one more.

The protocol that Let's Encrypt implements that defines the methods of domain validation available for prooving ownership of a domain is called ACME. In fact your feature request would have to be directed to the IETF working group responsible for ACME since Let's Encrypt implements the challenges that ACME specifies.

ACME as it exists today specifically excluded email validation during design because it is commonly believed to offer considerably less security against miss-issuance than the other challenge types that were specified as part of the protocol.

This turned out to be the right decision and was reinforced by the results of an academic effort by HAL-Inria in France. They produced a paper called "A Formal Model for ACME: Analyzing Domain Validation over Insecure Channels" where they used pi-calculus to mathematically model an older version* of the ACME protocol. The results specifically highlighted how the protocol would be weakened by adding email validation:

Unlike HTTP and DNS Identifiers, Email Identifiers effectively offer C a read-based challenge instead proof of some write access. In §3, we discuss how Email Identifiers are the weakest available form of identification given our threat model.

I think it's extremely unlikely that the ACME working group would be willing to revisit the inclusion of email based validation in light of findings such as this. Similarly Let's Encrypt would not implement domain validation challenge methods that were not part of the IETF ACME protocol.

Hope that helps explain things!

*: Other findings have either been addressed in current versions of the protocol or were things from early drafts that Let's Encrypt never implemented (E.g. account recovery)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.