Re: [Acme] Assisted-DNS challenge type [invalid signature!] [invalid signature!]

Tue, 23 Jan 2018 22:27:07 -0800 

But there is one difference between the two proves.
1) DNS-01 : Prove is with TXT record is that you have current DNS access
2) CNAME : Prove that you have once DNS access and now Account Key access

And here is no difference to the idea to publish account key via TXT record.
Both prove one time dns access and current account key access. With TLSA record you would have the same security like DANE which is handled as successor of the CA system. 


On 1/23/2018 9:52 PM, Tim Hollebeek wrote:t

It doesn't matter if lookups chase CNAMEs, because the answer has to
include a cryptographically secure random number that was created
especially for that particular validation and was not used in previous
validations, in order to be compliant with the BRs.

Your arbitrary computable impure function is not going to successfully
guess a secure random number.

-Tim


-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Tuesday, January 23, 2018 1:48 PM
To: Tim Hollebeek <[email protected]>
Cc: [email protected]; 'Jacob Hoffman-Andrews' <[email protected]>; Sebastian
Nielsen <[email protected]>
Subject: Re: [Acme] Assisted-DNS challenge type [invalid signature!]
[invalid
signature!]

On Tue, Jan 23, 2018 at 07:53:12PM +0000, Tim Hollebeek wrote:

Oh, and the method very similar to the propose one (involving static
CNAME as persistent authentication) is being used in the wild. And
due to fundamential nature of DNS, even static zone can result
variable results for names under the zone.

By who?  I don't think it's possible for such a method to be compliant
with any of the current BR methods.  If it is, we'll fix it.

Amazon ACM DNS validation based on descriptions I have seen.

And the reading that is complies with 10 methods is way less bizarre than
the
reading that ACME HTTP-01 complies.


And DNS specifications are darn clear that TXT lookups chase CNAMEs.
And CNAMEs are not the only authority transfer mechanism. And then there
are DNS servers that can run arbitrary computable impure(!) functions to
answer queries. Versus those you do not even have snowball's chance in hell.


-Ilari

_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme

_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme

Reply via email to