[Acme] Responding to challenges - spec bug?
Rob Stradling <rob@sectigo.com> Mon, 20 May 2019 15:56 UTC
Return-Path: <rob@sectigo.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8502912017A for <acme@ietfa.amsl.com>; Mon, 20 May 2019 08:56:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6bBoUbf-yAk for <acme@ietfa.amsl.com>; Mon, 20 May 2019 08:56:38 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0631.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe45::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 807C61201C3 for <acme@ietf.org>; Mon, 20 May 2019 08:56:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector1-comodoca-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MmflAN3+UJEK6ol7fEl2SkZlHiRltHV82RrkIZUi5Xs=; b=dHKwr24VxQ+Z9mbdb7N1u0f2syTItgDBYuPRw9ZZlBS4mYh1qIXHBnr9vNqQUfY7bpPZoixicGfd+ikFAp2Enz26pYopF3WfmEYIJFjXSnFQzzgC8MV+C0+6IJPH31upsmtPs1X45pOLKIVbCVdY9Dv/mmheCeQxWenUsfmHy1Q=
Received: from DM6PR17MB2251.namprd17.prod.outlook.com (20.176.92.149) by DM6PR17MB2363.namprd17.prod.outlook.com (20.176.93.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1900.17; Mon, 20 May 2019 15:56:21 +0000
Received: from DM6PR17MB2251.namprd17.prod.outlook.com ([fe80::f96d:65b0:2e92:c71a]) by DM6PR17MB2251.namprd17.prod.outlook.com ([fe80::f96d:65b0:2e92:c71a%5]) with mapi id 15.20.1900.020; Mon, 20 May 2019 15:56:21 +0000
From: Rob Stradling <rob@sectigo.com>
To: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: Responding to challenges - spec bug?
Thread-Index: AQHVDySRkPLfiLdtEEab2D83pFarqA==
Date: Mon, 20 May 2019 15:56:21 +0000
Message-ID: <a5d40c1b-d412-33b6-baf0-103a0ce7dc60@sectigo.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: LNXP265CA0096.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:76::36) To DM6PR17MB2251.namprd17.prod.outlook.com (2603:10b6:5:b9::21)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rob@sectigo.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2a0e:ac00:12e:8180:f68e:38ff:fe7a:a226]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 234ec277-7b4a-4d2b-0077-08d6dd3bb3f6
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:DM6PR17MB2363;
x-ms-traffictypediagnostic: DM6PR17MB2363:
x-microsoft-antispam-prvs: <DM6PR17MB23634C95283BCB456EDAD2B5AA060@DM6PR17MB2363.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 004395A01C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39850400004)(366004)(396003)(376002)(346002)(136003)(199004)(189003)(64756008)(66556008)(46003)(66476007)(186003)(66946007)(66446008)(31686004)(52116002)(73956011)(2906002)(316002)(99286004)(71200400001)(71190400001)(2351001)(14444005)(102836004)(6506007)(6116002)(386003)(256004)(6486002)(6916009)(305945005)(478600001)(68736007)(7736002)(36756003)(5660300002)(5640700003)(53936002)(6436002)(25786009)(81166006)(6512007)(31696002)(14454004)(2501003)(1730700003)(2616005)(476003)(8676002)(8936002)(486006)(81156014)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR17MB2363; H:DM6PR17MB2251.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: sectigo.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: jOaAUdAu3WHfJ0xuxVzLQwmTZ62Ob2ilY0knKEk/lW2IRh3VGbhQl8Am+c6XpZ2bWPd+bK33v9WXhSzTq4rlyawr1t12+Ji65/RZg+yGth3mB28+v/NZiuHY42a2E3AQk/lNqE7s27MhCt2A176hcvZK/Xc9l1ppPAr8aaje1zXneRIbyGYSTr2WQG2E5p8S5wymdX1VtGZxDKL1zh507r1zjEGZm5ZoWQxhflRy0j5uA3+06ESkYT1BdO+ywYFvWDxC0kcHN6aJ8HjQnBOjfgr35RcpvK+wkHJwMs1oVodKZyEjCIH2zzMI6Lo/wgzy2wxXtFoFa2CQhLm+IV3pn3lCg2E2rXgewp5inHqsQE/ZUCAbxrxljCZ8stJc6iCmKp+G/OJLJW5r2wtMGHMhvp6l+rFVj5BioYKBZjlMgBw=
Content-Type: text/plain; charset="utf-8"
Content-ID: <725CE11802F8804AAC4D67E9EEEC2D44@namprd17.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 234ec277-7b4a-4d2b-0077-08d6dd3bb3f6
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 May 2019 15:56:21.6043 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR17MB2363
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/-xxaoQF1xRDvuRDBofBGgUbXxWc>
Subject: [Acme] Responding to challenges - spec bug?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2019 15:56:41 -0000
RFC8555 sections 8.3 (http-01) and 8.4 (dns-01) both say: 'A client responds with an empty object ({}) to acknowledge that the challenge can be validated by the server.' Section 7.5.1, which is apparently intended to apply to all challenge types (including challenge types defined in other documents), says the same thing... 'The client indicates to the server that it is ready for the challenge validation by sending an empty JSON body ("{}") carried in a POST request to the challenge URL (not the authorization URL).' ...but then, after showing an example HTTP request, it goes on to say... 'The server updates the authorization document by updating its representation of the challenge with the response object provided by the client. The server MUST ignore any fields in the response object that are not specified as response fields for this type of challenge. Note that the challenges in this document do not define any response fields, but future specifications might define them.' So it seems that the 'empty JSON body "({})"' is intended to be interpreted by the ACME server as a "response object" that (depending on the challenge type) "might define" some "response fields". However, if any response fields are defined and included in the JSON body then the client will no longer be sending the 'empty JSON body ("{}")' that section 7.5.1 says it's supposed to send... 'The client indicates to the server that it is ready for the challenge validation by sending an empty JSON body ("{}") carried in a POST request to the challenge URL (not the authorization URL).' How would folks feel about an erratum to change that sentence in section 7.5.1 to the following: 'The client indicates to the server that it is ready for the challenge validation by sending a POST request to the challenge URL (not the authorization URL), where the body of the POST request is a JWS object whose JSON payload is a response object (see Section 8). For all challenge types defined in this document, the response object is the empty JSON object ({}).' ? -- Rob Stradling Senior Research & Development Scientist Sectigo Limited
- [Acme] Responding to challenges - spec bug? Rob Stradling
- Re: [Acme] Responding to challenges - spec bug? Jörn Heissler
- Re: [Acme] Responding to challenges - spec bug? Rob Stradling
- Re: [Acme] Responding to challenges - spec bug? Daniel McCarney
- Re: [Acme] Responding to challenges - spec bug? Rob Stradling