On Fri, 22 Jan 2016 16:13:07 +0000 Hugo Landau <[email protected]> wrote:
> Firstly, I've drafted a specification for tls-sni-02 > which resolves Jehiah's concerns. > <https://github.com/ietf-wg-acme/acme/pull/71> I agree with jehiah's comment on GitHub that for consistency with the http-01 challenge, SAN A (the token) should be used for the SNI request, and SAN B (the keyAuthorization) should be the SAN which the ACME server looks for. Also, it's not necessary for the ACME server to verify that the returned certificate contains SAN A (the token). Seeing the keyAuthorization in a SAN is sufficient. I think these changes should be made because paring the challenges down to their essentials and making them as similar as possible makes them much easier to reason about. For both http-01 and tls-sni-02, the basic procedure would be: 1. Request a resource (file or certificate) at the domain using the token to identify the resource. 2. Verify that the returned resource contains the keyAuthorization. -- Andrew _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
