Re: [Acme] expiry in dns-account-01

Hi Jacob, What use case did you have in mind for including the expiration date in the RDATA? We didn't choose to initially include it as we believed the instructions for when a validation record could be removed were clear with ACME. ACME challenge tokens are only used once and have the expiry of

Re: [Acme] Happy Birthday ACME!

Thanks for starting the discussion, Rob! One aspect of RFC 8555 that is quite clunky in practice is utilizing the notBefore/notAfter dates in the new-order request [1 ]. I believe there are a few problems with it. 1. "new-order" may b

Re: [Acme] [Technical Errata Reported] RFC8555 (6843)

ertificate Management Environment (ACME)". > > > > -- > > You may review the report below and at: > > https://www.rfc-editor.org/errata/eid6843 > > > > -- > > Type: Technical > &

Re: [Acme] [Technical Errata Reported] RFC8555 (5983)

I agree. On Tue, Feb 25, 2020, 5:05 AM Richard Barnes wrote: > This seems Verified to me. > > On Mon, Feb 24, 2020 at 8:46 PM Benjamin Kaduk wrote: > >> Authors, should this be marked Verified? >> >> Thanks, >> >> Ben >> >> On Fri, Feb 14, 2020 at 10:18:53AM -0800, RFC Errata System wrote: >> >

Re: [Acme] RFC draft-ietf-acme-acme-02 - tls SNI name

There are a few attack scenarios that "acme.invalid" attempts to account for. It protects sites like blogs that may allow users to select subdomains and upload certificates (x.y.token.blog.com would be potentially vulnerable). Multiple virtual hosts on shared hosting environments are also a conce

Re: [Acme] Remove combinations array

Agreed. The removal greatly simplifies the protocol. As you noted, the addition of the "application requirements" achieves the same intended result. On Wed, Aug 17, 2016 at 12:41 PM, Richard Barnes wrote: > SGTM. I never like "combinations" much anyway :) I put one editorial > comment in the P

Re: [Acme] Economize on nonces

One other way that the nonce storage problem may be solved on the ACME server is by using "authenticated nonces". The server could devise a system that included a timestamp and MAC. The idea being that the server would only accept a nonce if its timestamp was within a window and the MAC was verif

Re: [Acme] Economize on nonces

I agree that there are a large number of wasted nonce values which creates a burden for the ACME server. This PR would certainly reduce the number of unused nonces. It seems unfortunate that with this PR, the only guaranteed way to begin the ACME process is by posting a failed registration reques

Re: [Acme] High level comments on draft-barnes-acme (the GitHub version)

> Having said that I was quite suprised that a new method was suggested. > It IMHO mainly adds bloat. It proves authoritative access over the server. Changing the certificate requires modifying the server configuration. SimpleHTTP/S is vulnerable to attackers who have filesystem access (PHP scri

Re: [Acme] Client-controlled values

9 OID (this was avoided initially to ease the client implementation. The SAN extension is generally well-supported.) 4. We could change R and S to be 30-byte octet strings. On Tue, Jan 13, 2015 at 2:27 PM, Jacob Hoffman-Andrews wrote: > James Kasten and I discussed this offline. He pointed out tha