Validation via existing certificate?

Issuance Policy
1

The German Wikipedia article on Let’s Encrypt is saying the following:

[Validation requests] have to be answered correctly by the server. The protocol offers different possibilities to do this. With one of them, the ACME client software sets up a specially configured TLS server that replies to special requests from the certification authority using server name indication (domain validation via server name indication, DVSNS). However, this method is only accepted for issuing the first certificate for a domain (so called trust on first use, TOFU). Afterwards, alternative validation via an existing certificate is employed. If one loses control over an already issued certificate, one must therefore acquire a certificate from a third party in order to get a Let’s Encrypt certificate again.

Now I have not read anything about validation via existing certificates on the Let’s Encrypt website. It also does not make sense to me. After all, if someone gets hold of my private key, he would be able to get a new certificate for my domains, and use this certificate to get another certificate, and so on. Is this statement on Wikipedia wrong? Is there some truth in it?

2

It’s not quite accurate, but I guess there is some truth in it. Initially, the plan was to determine whether the domain you’re trying to acquire a certificate for has had a publicly-trusted certificate before (via Certificate Transparency), and if that’s the case, Let’s Encrypt would require that you also demonstrate control over the private key of that certificate, making it harder to get a certificate during temporary domain hijacks via DNS or BGP, etc. This validation step would happen on top of the regular domain ownership challenge, so it can’t be worse than that.

This idea was dropped at some point, presumably because there would’ve been too many issues with domain owners who don’t have their previous private keys anymore, or who never had them (domain transfer, etc.)

1 Like
3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.