Hi,
I've been reading the spec, and I don't really understand why the reply to
validation challenges is not designed the same way as other api. If I
understand the spec correctly, instead of sending a JWS reply, the jws is
embedded in a json object containing 'type' and 'validation'.
For example the dvsni challenge response is :
{
"type": "dvsni',
"validation": {
"header": { "alg": "HS256" },
"payload": "qzu9...6bjn",
"signature": "xxxxxxxxxxxxxxxxxx"
}
}
Why don't use a regular JWS as body for this challenge reply ?
In that case the reply would be:
{
"signature": "xxxxxxxxxxxxxxxxxxx",
"protected": "eyJub25jZ...In0",
"header": {
"alg": "RS256",
"jwk": {
"kty": "RSA",
"n": "ox33_lEk....Eg9zM",
"e": "AQAB"
}
},
"payload": /* in cleartext for readability */ {
"type": "dvsni",
"token": "fgf...gfdg"
}
}
Also for the dns challenge I don't understand why there is
"clientPublicKey" attribute in the reply.
Still regarding dns challenge I am concerned about the length of the
"signature" generated when RS256 is used to sign the JWS object with a 4096
bits key. It will then exceed the maximum txt record length. maybe using a
hash of this signature would solve this ?
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
