Manger, James <[email protected]> wrote: > An Acme CA may choose the dns-01 challenge token, but what goes in the > DNS TXT record is base64url(SHA-256(f(token and account key))).
I don't see this anywhere in RFC8555.
I see section 8.1, which deals with a keyAuthorization.
section 8.4 says that the token must have 128-bits of entropy,
and that it should restrict itself to the base64url alphabet.
Beyond that, I don't see any formula like above: an ACME server could, as you
say below, notice when needed "-" in the result and try again.
I think we are agreeing, but you are just telling me what current code does?
> So to avoid hyphens in that result the CA would need to: pick a random
> token; do the hash & base64url calculations; then repeat with a new
> random token if any hyphens are present. It will only take 2 tries on
> average ; - )
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
