I've been thinking about this more.
I'm going to remove the uniqueness stipulation, and just formalize
something along the lines of "use the kid that was in the JWS of the
request". Obviously the normal "validate the JWS before you just blindly
trust it" still applies.
This way, the account KIDs
We are using the `kid` value. And from my understanding in the ACME spec,
when a client is responding with a POST request to the challenge URL, the
KID is included in that JWS payload.
That's the KID that should be used for constructing the validation domain.
On Mon, Feb 5, 2024 at 12:22 PM
And I think the implication here is that, if an ACME server responds on
multiple URIs and reflects those multiple URIs back to the client in the
Location header, then that server must also support hashes of those
multiple URIs when conducting DNS-ACCOUNT-01. Does that make sense?
Aaron
On Sat,
No, the accountURL/URI that new-account returns is the only authoritative
path. I'll make sure that it is spelled out in the RFC. If an acme client
has an account key, it can use the method described here:
https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.1 to find the
accountURL for that
On Fri, Feb 02, 2024 at 04:35:51PM +0900, Seo Suchan wrote:
> for some ACME servers they have multiple allowed acme endpoint domains, and
> server doesn't know what domain name client used to access its API duce
> don't have full accounturl that used to craft challenge subdomain:
Both new order
if it's stable but has multiple valid path (ex: acme-v1.ca.com and
acme-v2.ca.com) , would server need try for both subdomain and lookup
every possible valid path?
2024-02-03 오전 1:35에 Amir Omidi 이(가) 쓴 글:
From my understanding, under ACME we treat that entire accountURL as
the userID. So I
>From my understanding, under ACME we treat that entire accountURL as the
userID. So I think that URL will need to be stable.
On Fri, Feb 2, 2024 at 2:36 AM Seo Suchan wrote:
> for some ACME servers they have multiple allowed acme endpoint domains,
> and server doesn't know what domain name
for some ACME servers they have multiple allowed acme endpoint domains,
and server doesn't know what domain name client used to access its API
duce don't have full accounturl that used to craft challenge subdomain:
like boulder (what Let's encrypt uses) allows to accessed from mulitple
path
