undefined | Better HN

0 pointstialaramex7y ago0 comments

Github can and should ask Let's Encrypt to revoke the certificates, the API lets them do that by proving it's their certificate. There's a suitable OCSP cause code like "obsolete" but I can't remember if you can set the cause code in ACME.

I also can't remember whether there's an API for legitimate owners to revoke a cert issued to someone else that's no longer OK. Let's Encrypt does have to be able to do that, but if there's no API it might be very manual.

0 comments

pfg7y ago

> I also can't remember whether there's an API for legitimate owners to revoke a cert issued to someone else that's no longer OK. Let's Encrypt does have to be able to do that, but if there's no API it might be very manual.

You can do that by going through the usual challenge process in ACME and obtaining an authorization object for all names on a certificate. Any ACME account who is authorized to issue certificate for these names can also request revocation for existing certificates (even if owned by different ACME accounts).

(You're a bit screwed if the certificate you want to revoke also contains names from other users. This is a good argument for a "one name per certificate" or "only the names of one user per certificate" policy for such implementations.)

j / k navigate · click thread line to collapse

0 pointstialaramex7y ago0 comments

0 comments

pfg7y ago

j / k navigate · click thread line to collapse