On Mon, Nov 13, 2017 at 12:32:44PM +0100, Sebastian Nielsen wrote: > What I have understand with the 30 day limit, is that the authorization > granted must be granted for a maximum of 30 days. > Eg, one token, regardless of if its random or static, may either be > single-use or allow a maximum of 30 days where the system considers domain as > "validated".
The technical term used by BR is "Request Token" " Request Token: [...] A Request Token MAY include a timestamp to indicate when it was created. [...] A Request Token that includes a timestamp SHALL remain valid for no more than 30 days from the time of creation. A Request Token that includes a timestamp SHALL be treated as invalid if its timestamp is in the future. A Request Token that does not include a timestamp is valid for a single use and the CA SHALL NOT reuse it for a subsequent validation. [...] " Source: CA/Browser Forum: Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates. Version 1.5.4, Section 1.6.1: Definitions. And SHALL/SHALL NOT are absolute requirements. I.e. tokens themselves may live for at most 30 days. How long the validations granted can live is actually unclear even to CABForum partipicants. One could interpret that such grants can be at most 30 days for tokens, or one could interpret that such grants can be valid for at most 825 days (the maximum grant lifetime for any method). > The idea is that you should be able to automate set up DNS-01 once, > and then is set once for all. There have been proposals in that direction. However, it would take BR changes. -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
