I'm not sure why the contents of the http-01 challenge could not be considered a 'request token'? A favorable interpretation that would require no changes would be that the random token (in ACME speak) is only half of the 'request token' (CABF speak) that is required for validation and therefore the full 'request token' _is not_ present in the request (since the required key authorization contains both the random token and the thumbprint of the JWK public key).
On 04/10/2017 09:13 AM, Ilari Liusvaara wrote: > I read a draft for ballot[1] about changes to CABForum BR domain > validation rules, and noticed that it drops the "required website > content" bit, only retaining the Random Value and Request Token > bits. Now, request token parts are irrelevant: HTTP-01 clearly does > not qualify as request token. > > This leaves Random Value. There there is also a requirement that the > Random Value does not appear in the request. Now, obviously HTTP-01 > does put the Random Value into request. So it seemingly would not > comply. > > Having to drop HTTP validation without replacement would be very > bad to say the least. Estimated number of domains using it is in > millions, and for vast majority, there is no viable replacement > (besides disabling HTTPS, perhaps using commercial cert to ride > HSTS timeout).. > > > Maybe the WG could define HTTP-02 that doesn't send the same > random value back? It would also solve the known issue that one > can mint responses without knowing about the challenge > (TLS-SNI-01 had a similar issue). > > > > As to why they want to drop the "required website content" bit, > historically, many CAs have invented many quite bad validation > methods, some based on methods from Baseline Requirements. > > > [1] AFAIK, not yet in pre-voting discussion, but has the two > endorsers needed to start official pre-voting discussion. > > > -Ilari > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme > _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
