The ACME Protocol

2014-11-19

... is the best thing since sliced bread the invention of SSL/TLS.

The Electronic Frontier Foundation (EFF), Mozilla, Akamai, Cisco and IdenTrus have partnered to create a free Certificate Authority (CA), Let's Encrypt. But the real twist is that they have removed humans form the certificate signing and revocation process. Finally the cherry on the cake is that Bruce Schneier thinks it's an "absolutely fantastic idea".

Enough of appeal to authority, first let us look at what is broken with existing certificate signing process. The way to get a valid SSL certificate is to create a signing request and have that signing request turned into a certificate by the CA. This certificate is then signed against the CA's certificate.

The SSL signing process is quite solid from a technical and cryptographic standpoint, but commonly fails on the human front. The problem is how does the CA know you are who you claim to be and that you that you actually own the domains the certificate is for?

Commonly there are different "trust levels" the CA provides. That is depending on how many hoops you are willing to jump though (and pay), you get signed against a different root certificate. But since most browsers accept all "trust levels" and most users are oblivious of this, few people bother with high "trust levels".

The lows "trust levels" prone to abuse, since the amount of checks done to validate the signing request is relatively low. It has already happened that people where able to social engineer themselves some certificates for domains they did not own, like these "hackers" that got themselves a bunch of certificates, such as for mail.google.com.

The really novel thing that the Let's Encrypt CA has to bring to the table is the Automated Certificate Management Environment (ACME) protocol. The protocol removes any human interaction in the signing process. The first step the of the process is that you need to prove that you own the domain you are requesting the certificate for. One option to do that is by serving a specific file from the domain via HTTP. This means you can only request a certificate if you are in control of the HTTP server(s) servicing for this domain.

Once the domain is proven, the certificate signing process works following the standard SSL model. The difference that it works via a web service and is secured by public key cryptography.

The genius about the ACME protocol is, that asks the right questions. It does not care who you are, just that you are in control of the domain the certificate is for. This makes the Let's Encrypt CA strongly reliable, since it is not prone to social engineering attacks.

Like any good security application the specification is publicly available and there is even a working prototype implementation. So until the service goes live in summer 2015 a plethora of security researchers will pour over the specification and implementation. But from my first look at it, it looks quite sane. So I expect that no much will be found, except a few minor details.