On Mon, Sep 28, 2015 at 4:43 PM, Ted Hardie <[email protected]> wrote:
> On Mon, Sep 28, 2015 at 12:01 PM, Richard Barnes <[email protected]> wrote:
>>
>> Dear WG,
>>
>> * "Add explicit versioning to challenges" -
>> https://github.com/ietf-wg-acme/acme/pull/8
>>
>
> I'm not sure this quite right. If I understand the proposal correctly, when
> a client sees http-01 but understands only http-00, the idea that one is
> related to the other has no meaning, as the client can only respond to
> challenges when type and version match what it has code for, right?
>
> I think if we want that behavior, we'll need to specify whether a single
> array can have array entries with different versions of the same challenge
> type and we'll need to ensure that the same challenge type with different
> versions isn't used to create full coverage.
I was actually envisioning that the version numbers on the challenges
would only change when the challenge changed. (I was also thinking
they would use the I-D version number, but I could go either way on
that.) That way, two challenges have different tokens iff they entail
different behavior. So as of version -07, you might have "http-01",
"tls-sni-03", and "dns-07". Then when we head to RFC, we can drop the
version numbers.
However...
> That is, if it's okay for a challenge to be something like "Fulfil HTTP
> challenge version 0 and DNS challenge version 1 OR HTTP challenge version 1
> and DNS challenge version 0"", then we should say so. I also think we need
> to explicitly rule out things like "Fulfil HTTP challenge version 0 and HTTP
> challenge version 1". (If the latter is okay, we shouldn't call them
> versions, but treat each iteration as fully semantically distinct).
... we do have that capability right now, with the "combinations"
element of the authorization object. For example, you would represent
the above with:
{
...
"challenges": [
{ "type": "http-00", ... },
{ "type": "dns-00", ... },
{ "type": "http-01", ... },
{ "type": "dns-01", ... },
],
"combinations": [ [0, 2], [1, 3] ]
}
Hope that helps,
--Richard
P.S. Obviously, now that -00 is out, the PR will need to be updated to
use "-01".
>
> regards,
>
> Ted
> Wearing no hats
>
>
>
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
