2018-01-11 20:36 GMT+01:00 Ilari Liusvaara <[email protected]>:
> On Thu, Jan 11, 2018 at 08:23:26PM +0100, Sophie Herold wrote: > > Hi, > > > > challenge tokens "MUST have at least 128 bits of entropy", at the same > > time it seems trivial to guess order and authorization URLs like the > > ones used in the examples. It seems natural, that URLs MUST be generated > > with the same amount of entropy. But I couldn't find that in the draft. > > > > > > For account objects, GET request are not allowed: > > > > Servers SHOULD NOT respond to GET requests for account resources as > > these requests are not authenticated. > > > > This suggests that all non-expiring URLs should be protected in this > > way. At least for orders lists, this protection is missing. > > > > The token entropy requirement is to render those tokens unguessable > before the validation request is received. This is to protect against > careless servers. The token is not actually secret after it has been > generated. > I don't think it is for careless servers, the token is provided in the request, so any server can respond with it. Rather it's required to fulfill the CA/Browser Forum rules. Regards, Niklas > Now, in some approved CA validation methods, the tokens actually are > secret, but none of those is used in ACME. > > > -Ilari > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
