I didnt even specify a direct order in the first place but the client could tell the user on how to do the stuff if there is no key. pre-publishing is one of the reasons for this since it also allows you to delegate a subdomain to someone else in DNS challenge without having to wait for a challenge.
also you even need to sign an extra random value because it should probably have signed one when trying to request the cert so they can just check for the records/keyfile and compare the signature. regards. 2016-03-21 10:29 GMT+01:00 Thomas Lußnig <[email protected]>: > Hi Philipp, > > why not switch the handling. > Publish the Fingerprint of your public Key in DNS/WEB. > And the challenge is then to sign the random value with your public key. > This would also speed up the whole process. Since the acme server > can get the pub key when you request the domain and check than your > response. > And not you tell him check the webpage now and wait till he checked the > page. > > Gruß Thomas > > > Am 21.03.2016 um 09:42 schrieb Philipp Junghannß: > > hello, I have a little proposal: > > https://github.com/ietf-wg-acme/acme/issues/88 > > in short, I see not THAT much reason to use a completely random string for > the challenges, I think it would be better to just use your account key. > the only thing random keys are is increase annoyance when you cannot work > automatically (try manually posting 14 challenges from SSH to your web > folder and you'll get my point) > > my Idea is that instead of a random string you rather use your account key > (or a hash of it) as the challenge. with that you dont always have to > create and delete challenge records because you can just let it stay there > which essentially also lowers the strain of DNS Servers during renewal > times (in case of DNS validation) > > also the servers of the ACME-CA will also have less strain because they > dont need to send extra challenges and check those, because the possession > of the key is already proven because it needs to sign every request to the > ACME protocol, that's why it makes sense to just use the esatblished > identity instead of establishing something completely new and then linking > it. They just need to download the key file/records and check whether the > key we want is inside > > also when you want to create a SAN cert with http challenge for multiple > webroots you can just copypaste the same file to all webroots and the > automation doesnt have to worry about anything else. > > best regards. > > > _______________________________________________ > Acme mailing [email protected]https://www.ietf.org/mailman/listinfo/acme > > > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme > >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
