>From my understanding, under ACME we treat that entire accountURL as the userID. So I think that URL will need to be stable.
On Fri, Feb 2, 2024 at 2:36 AM Seo Suchan <[email protected]> wrote: > for some ACME servers they have multiple allowed acme endpoint domains, > and server doesn't know what domain name client used to access its API > duce don't have full accounturl that used to craft challenge subdomain: > > like boulder (what Let's encrypt uses) allows to accessed from mulitple > path ex: > > "accountURIPrefixes": [ > "http://boulder.service.consul:4000/acme/reg/";, > "http://boulder.service.consul:4001/acme/acct/"; > ] > > , and pebble and smallstep do not have host in config but allow any ip > or domain pointed to them and reflect them to create link to > account/order/ect > > would only using userid part of accountURL (ExampleAccount) from > https://example.com/acme/acct/ExampleAccount have problem? while it's > trivial to extract from hash to accounturl as accountID was > autoincrementing counter, but was there are so few large acme provider > it was trivial to make rainbow table anyway. > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
