Comment by crote
2 days ago
CT logs do allow enumeration, but avoiding that is just security through obscurity. WebPKI is intended for publicly-accessible hosts, so hopefully you already have some kind of firewall in place to protect them! If you want to avoid enumeration of internal-only hosts: just use your own self-signed root cert. CT logs are a crucial part of protecting against rogue CAs, so don't expect that to go away any time soon.
With ACME most of the delegation issues have pretty much been solved. Publicly-accessible hosts can easily get a cert - if and only if the domain resolves to that host. Want even stricter enforcement? Nobody's stopping you from writing an ACME proxy which only forwards requests from known-good hosts to LE & friends.
> CT logs do allow enumeration, but avoiding that is just security through obscurity.
Well, yes. There are also other issues, like rate limits. Some companies have hundreds of thousands of hosts (some virtual) and requesting certificates for all of them might be problematic.
> If you want to avoid enumeration of internal-only hosts: just use your own self-signed root cert.
This becomes increasingly problematic, as browsers start relying on DoH/DoT, or making it more difficult to enroll custom root certs.
> Nobody's stopping you from writing an ACME proxy which only forwards requests from known-good hosts to LE & friends.
I actually tried that. LE uses multiple viewpoints to resolve the challenges, so you need to open your internal DNS resolvers/HTTPS to basically all the world. Or play with the horror of split-horizon DNS.