Hi,
what about this idee for dns based authorization ?
1) Take the Publickey of the Account and build the SHA-1 of if. (Mable
later SHA-256)
2) Create an Textrecord sha1-dns-02-acme-challenge for domain with the
Base64 content of the hash.
sha1-dns-02-acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM"
Improvements above dns-01:
a) It allow Wildcard entries so that the user does not need to change
the dns for each fqdn.
b) As long as the account key is the same the approval is the same.
This is analogue to placing an html page containing an authorization
token into the webserver like google use is for webmaster info access.
We do not need the random factor to prevent replay. As long as we bind
the authorization to the account key.
With the system i described above the challenge that fulfil the random
request is:
The certificate requester must prove that he own the private key for the
public key that he announced in the DNS record.
To prove this the CA send an random 128bit token to the requester that
is send back as jwk signed with the matching private key for the DNS
record containing the token from the challenge.
Gruß Thomas Lußnig
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
