On Fri, Nov 13, 2015 at 03:00:48PM +0100, Romain Fliedel wrote: > > > > However, the CA/B Forum validation requirements currently being > > discussed include a requirement for a "Random Token." So we'd need to > > convince them to add language that would allow something like an > > authorized account key > > perhaps the use of a random dns prefix would be sufficient ?
I don't think that would help the present problem. Specifically: The client would want to compute the response to the challenge: 1) Without contacting the CA. 2) Without knowledge of server keys (including public key). The reason for this is that it can take annoyingly long time after challenge becomes known until it is reliably available. And these delays are not from DNS caching (one can do uncached fetches at cost of increased load). And for the second requirement, having to know server keys would create problems with key rotation (apparently folks think keys should be rotated by default, and those that don't want that, e.g. due to using HPKP or DANE can disable key rotation). -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
