The following feedback is based on cd7c5e9 (current HEAD of master). Section 8.3 states that the token value for HTTP validation "MUST have at least 128 bits of entropy."
Section 11.3 explains that one goal of this is that "the entropy requirement prevents ACME clients from implementing a “naive” validation server that automatically replies to challenges without participating in the creation of the intial authorization request." However, because of the way the token is used in the validation process, as a part of the request, this goal is not met. It is possible to configure a webserver to respond to all requests under .well-known/acme-challenge with the ASCII representation of the key authorization. (See, e.g., https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode.) Essentially, the server informs the client of the token during the validation process, removing any need for the client to have known it. If this is acceptable, the entropy requirement should be removed. If this is unacceptable, the challenge and validation should be revised. Regards, Zach Shepherd
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
