Security Considerations for ACME account key sharing

[vanbroup]

It's implied that cloud service providers (i.e., a specific ACME account key) can request certificates for any domain for which they can demonstrate domain control; there is an open question about whether a mechanism should exist whereby subscribers can explicitly authorize a given cloud service provider to issue a certificate with a given subject name (OV/EV).

We should evaluate the Security Considerations for situations where the ACME account key is managed by a Cloud Service Provider and shared between multiple subscribers.

• Does it introduce security risks if you share an account key across subscribers within the same service provider?
• Is it sufficient to create an account binding based on a successful domain control validation?
• Is proving domain control by the service provider sufficient to imply that the subscriber is authorizing the CA to issue certificates from the configured certificate profile for that domain?

[ounsworth]

Security Consideration 9.3 needs to be re-written in light of the existence of the ACME-Client-Discovery draft and the fact that we are now expecting clients (CSPs) to use the same ACME client key for all their customers. We do not believe that there is any increased security risk given that the CSP already has DNS control of the customer's domain; especially coupled with a client authorization mechanism as described in the ACME-Client-Discovery draft.

Needs a small amount of thought, but should be straightforward to re-write.