On 01/25/2016 05:48 PM, Hugo Landau wrote: > Was this an intended design feature of the http-01 challenge? I think it was not specifically intended or discussed. > Perhaps more pertinently I should ask, is this property desirable? The main property we want from challenges is that they are unlikely to be satisfied accidentally by a party other than the requester. I believe that's the main value of random tokens as challenges. It's extremely unlikely that someone will unintentionally have a file on their server matching the random token.
It's likely that some people using Let's Encrypt will use the sort of automated response you described, so they could unintentionally response with a challenge they did not intend to make. However, the inclusion of the account key thumbprint would ensure that they are not authorizing an account other than their own. > This reduces the http-01 challenge to what is essentially an account key > nomination, alebit with a random token (probably needed to satisfy CA/B > forum requirements). I've previously suggested that e.g. the DNS > challenge be changed similarly. In that regard it's quite convenient. > I'm just mildly worried that this property doesn't seem to have been > particularly noticed or discussed, in terms of its security properties. I think treating challenges as account key nominations is valuable and has the potential to make repeated challenge fulfillment easier. But you're right, we should document the specific security properties that the DV challenges are intended to provide. > Musing a little, if this property was deemed desirable, the possibility > of multiple account keys could be better accommodated by including say, > a hash of the account key thumbprint in the URL. This is an interesting idea, but I think if we want to go further down this road, it makes more sense to have a challenge that returns all account keys that the subscriber considers to be authorized for issuance on the requested domain. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
