On Fri, Nov 13, 2015 at 01:25:35AM +0000, Hugo Landau wrote: > On Thu, Nov 12, 2015 at 02:14:11PM -0800, Jacob Hoffman-Andrews wrote: > > I like the idea, and it generalizes to the other queries. For instance, > > you can imagine putting up an HTTP validation file that contains a list > > of authorized account keys, with no random token. > > > > However, the CA/B Forum validation requirements currently being > > discussed include a requirement for a "Random Token." So we'd need to > > convince them to add language that would allow something like an > > authorized account key. > > That's unfortunate. Is the language unambiguous enough that the 'random > token' must be per-authorization, rather than e.g. a random token > generated at account generation time (which could be passed as well as > the account key)?
By my reading, the applicable case is "a value specified by CA to the Applicant that exhibits at least 112 bits of entropy". I don't see any discussion wheither it is per-request or per-token. And the other case would imply that it doesn't even have to be unknown to the applicant (that case explicitly says so). There also seems to be second method, but it would require pre- generating the server private key. -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
