Re: [Acme] New draft and DANGER

2015-10-03 Thread Eric Rescorla
This seems OK to me. -Ekr On Fri, Oct 2, 2015 at 2:00 PM, Richard Barnes wrote: > How about something like this: > > Authorized key object is TOKEN.FINGERPRINT, where: > * TOKEN is the token in the challenge > * FINGERPRINT is the JWK thumbprint of the account key (per the

Re: [Acme] New draft and DANGER

2015-10-02 Thread Jacob Hoffman-Andrews
On 10/01/2015 07:04 PM, Andrew Ayer wrote: > Well... previously, the protocol was relying on a non-existent > property of digital signatures. With a client-constructed authorized > key object, it would be relying on the second-preimage resistance of > SHA-256, which is a pretty safe bet, to put

Re: [Acme] New draft and DANGER

2015-10-02 Thread Eric Rescorla
I'm fine with having the client generate the object, but I think I'd be more comfortable if the data that the client had to provision for the challenge was deterministic, less for cryptographic reasons but simply to make it easier to reason about the protocol properties. Maybe this is a case for

Re: [Acme] New draft and DANGER

2015-10-02 Thread Richard Barnes
How about something like this: Authorized key object is TOKEN.FINGERPRINT, where: * TOKEN is the token in the challenge * FINGERPRINT is the JWK thumbprint of the account key (per the relevant JOSE spec) Same processing, except neither side has to send the object. (Might still have the client

Re: [Acme] New draft and DANGER

2015-10-02 Thread Jacob Hoffman-Andrews
On 10/02/2015 02:00 PM, Richard Barnes wrote: > Authorized key object is TOKEN.FINGERPRINT, where: > * TOKEN is the token in the challenge > * FINGERPRINT is the JWK thumbprint of the account key (per the > relevant JOSE spec) This sounds reasonable. I don't see a reason to have the client echo

Re: [Acme] New draft and DANGER

2015-10-02 Thread Richard Barnes
I have implemented this solution in this PR: https://github.com/ietf-wg-acme/acme/pull/13 Last call for comments... On Fri, Oct 2, 2015 at 5:00 PM, Richard Barnes wrote: > How about something like this: > > Authorized key object is TOKEN.FINGERPRINT, where: > * TOKEN is the token

Re: [Acme] New draft and DANGER

2015-10-01 Thread Ashok Bommisetti
Hello All It was completely pocket. Apologize for the spam Regards Ashok On Oct 1, 2015 7:35 PM, Ashok Bommisetti wrote: > > Bb b. Bb  by b  b by b.  Hxbbb. BBB. BBB b bbh huh.  H. > N.   F by by b BBB b.    > > On Oct 1, 2015 7:04 PM, Andrew Ayer

Re: [Acme] New draft and DANGER

2015-10-01 Thread Ashok Bommisetti
Bb b. Bb by b b by b. Hxbbb. BBB. BBB b bbh huh. H. N. F by by b BBB b. On Oct 1, 2015 7:04 PM, Andrew Ayer wrote: > > On Wed, 30 Sep 2015 21:48:32 -0700 > Richard Barnes wrote: > > > The authorized key object is JSON,

Re: [Acme] New draft and DANGER

2015-09-30 Thread Richard Barnes
On Wed, Sep 30, 2015 at 7:32 PM, Andrew Ayer wrote: > On Mon, 28 Sep 2015 15:01:57 -0400 > Richard Barnes wrote: > >> I opened a few PRs over the weekend that address recently-raised >> issues: >> >> * "Address signature reuse vulnerability" - >>

Re: [Acme] New draft and DANGER

2015-09-28 Thread Salz, Rich
> Please review the PR as soon as possible and provide comments to the > list. Other issues or text suggestions for the draft are, of course, also > welcome. It can be useful to open an issue on the GH repo, so that things don't get lost. But please everyone, avoid the temptation to have all

Re: [Acme] New draft and DANGER

2015-09-28 Thread Richard Barnes
Dear WG, I opened a few PRs over the weekend that address recently-raised issues: * "Address signature reuse vulnerability" - https://github.com/ietf-wg-acme/acme/pull/6 * "Address default virtual host risks" - https://github.com/ietf-wg-acme/acme/pull/7 * "Add explicit versioning to challenges"

Re: [Acme] New draft and DANGER

2015-09-28 Thread Ted Hardie
On Mon, Sep 28, 2015 at 12:01 PM, Richard Barnes wrote: > Dear WG, > > * "Add explicit versioning to challenges" - > https://github.com/ietf-wg-acme/acme/pull/8 > > ​I'm not sure this quite right. If I understand the proposal correctly,

Re: [Acme] New draft and DANGER

2015-09-28 Thread Richard Barnes
On Mon, Sep 28, 2015 at 4:43 PM, Ted Hardie wrote: > On Mon, Sep 28, 2015 at 12:01 PM, Richard Barnes wrote: >> >> Dear WG, >> >> * "Add explicit versioning to challenges" - >> https://github.com/ietf-wg-acme/acme/pull/8 >> > > I'm not sure this quite right. If

Re: [Acme] New draft and DANGER

2015-09-28 Thread Martin Thomson
On 28 September 2015 at 13:43, Ted Hardie wrote: > I'm not sure this quite right. If I understand the proposal correctly, when > a client sees http-01 but understands only http-00, the idea that one is > related to the other has no meaning, as the client can only respond to >