hello, I have a little proposal: https://github.com/ietf-wg-acme/acme/issues/88
in short, I see not THAT much reason to use a completely random string for the challenges, I think it would be better to just use your account key. the only thing random keys are is increase annoyance when you cannot work automatically (try manually posting 14 challenges from SSH to your web folder and you'll get my point) my Idea is that instead of a random string you rather use your account key (or a hash of it) as the challenge. with that you dont always have to create and delete challenge records because you can just let it stay there which essentially also lowers the strain of DNS Servers during renewal times (in case of DNS validation) also the servers of the ACME-CA will also have less strain because they dont need to send extra challenges and check those, because the possession of the key is already proven because it needs to sign every request to the ACME protocol, that's why it makes sense to just use the esatblished identity instead of establishing something completely new and then linking it. They just need to download the key file/records and check whether the key we want is inside also when you want to create a SAN cert with http challenge for multiple webroots you can just copypaste the same file to all webroots and the automation doesnt have to worry about anything else. best regards.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
