[Acme] Retrying challenges - spec bug?
Rob Stradling <rob@sectigo.com> Mon, 20 May 2019 12:56 UTC
Return-Path: <rob@sectigo.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D4FC1201AA for <acme@ietfa.amsl.com>; Mon, 20 May 2019 05:56:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s-O_xGqUF3mT for <acme@ietfa.amsl.com>; Mon, 20 May 2019 05:56:20 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-eopbgr810048.outbound.protection.outlook.com [40.107.81.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 812C112006F for <acme@ietf.org>; Mon, 20 May 2019 05:56:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector1-comodoca-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TWwB4zJBfrhICmNCPSiNQa188qfWcWTg+sIQcZ18cwg=; b=q86+SvDNDQDln6skzQMwx29//f8+WCJug0sleyr5xrjFULPxJb4f/n+7JX0Mbr7wcP2O709tR9kO1Ulj+C5HLdR7URrflRLy4IFL68xDs7vUICDOQYLAMfRl4taxs2q5odwlWy30CvvySzcRG+SnvaH+7NdxLFhzhFtubyFIABI=
Received: from DM6PR17MB2251.namprd17.prod.outlook.com (20.176.92.149) by DM6PR17MB2777.namprd17.prod.outlook.com (20.178.225.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1900.17; Mon, 20 May 2019 12:56:18 +0000
Received: from DM6PR17MB2251.namprd17.prod.outlook.com ([fe80::f96d:65b0:2e92:c71a]) by DM6PR17MB2251.namprd17.prod.outlook.com ([fe80::f96d:65b0:2e92:c71a%5]) with mapi id 15.20.1900.020; Mon, 20 May 2019 12:56:18 +0000
From: Rob Stradling <rob@sectigo.com>
To: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: Retrying challenges - spec bug?
Thread-Index: AQHVDwtqr4lU5kzaZEiWRcfcQh0cOQ==
Date: Mon, 20 May 2019 12:56:18 +0000
Message-ID: <f0ecc1c3-0358-1896-3d5a-20591f74679e@sectigo.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: LO2P123CA0024.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:a6::36) To DM6PR17MB2251.namprd17.prod.outlook.com (2603:10b6:5:b9::21)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rob@sectigo.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2a0e:ac00:12e:8180:f68e:38ff:fe7a:a226]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3d8b9fbb-10bb-4ee9-b174-08d6dd228cc9
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:DM6PR17MB2777;
x-ms-traffictypediagnostic: DM6PR17MB2777:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <DM6PR17MB2777DD1E4698909F127B85F2AA060@DM6PR17MB2777.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 004395A01C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(366004)(396003)(136003)(376002)(39850400004)(54094003)(189003)(199004)(86362001)(2616005)(476003)(7736002)(305945005)(53936002)(486006)(46003)(186003)(2351001)(2501003)(6916009)(6116002)(1730700003)(36756003)(14444005)(256004)(102836004)(73956011)(66446008)(64756008)(66946007)(8676002)(8936002)(81166006)(81156014)(25786009)(2906002)(31696002)(99286004)(386003)(6506007)(5660300002)(52116002)(66476007)(316002)(5640700003)(478600001)(6306002)(31686004)(71200400001)(14454004)(6512007)(68736007)(6436002)(6486002)(66556008)(966005)(71190400001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR17MB2777; H:DM6PR17MB2251.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: sectigo.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ETTo194xkLUEKm+wDoUllu2a6GmVr5Dikpg9DIqa7TObgC81WHlTmYVFXo6h7obuRnGNxz1QG1TJC4Y/BuBi/9k1gFM8sZ/4IFscefbUSL9sKCb0DNNZUiI98Ar1RB7ro20PJzDf4rksJ6uK9b/8CO4VuODrZCeEOeQhnKGU4kW79J9RngftmFLN3ZnsuBEQuzJRKpoeioNe7Sy3rtky0iac84cuCKE6zZCpgcQrdmrJZYj5IjfjM6KJCtIt65GVwR5p5Kg/nE/7buDDP/vzh8C3Quk/NZdAFhGCtTHGnTtIlXFN1l5twmVTwjmBImXDPxThrkusljE6hKIwYEFlM4zMMyAMbzxYgGS0EbdjkOlUuH1R2lrIrIndyKPRhWtvD0dozlhc5HG4bwBZZZYwjK72He0VvhR36A2JSrYC8CQ=
Content-Type: text/plain; charset="utf-8"
Content-ID: <D0FD89659B5708429012B26C0269063A@namprd17.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3d8b9fbb-10bb-4ee9-b174-08d6dd228cc9
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 May 2019 12:56:18.3856 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR17MB2777
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/2oBpC7vGbyQAAedypqHCrieLIow>
Subject: [Acme] Retrying challenges - spec bug?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2019 12:56:22 -0000
https://tools.ietf.org/html/rfc8555#section-8.2 says: 'The server MUST add an entry to the "error" field in the challenge after each failed validation query.' And https://tools.ietf.org/html/rfc8555#section-8 says: 'A challenge object with an error MUST have status equal to "invalid".' The state transition diagram for challenge objects (https://tools.ietf.org/html/rfc8555#section-7.1.6) appears to indicate(*) that "invalid" is a final state for a challenge object, meaning that it is no longer possible for it to transition to "valid" and that retrying the challenge would therefore be pointless. ISTM that the "error" field could be a very useful feedback mechanism inbetween retries, and that a challenge should only go to the "invalid" state once the ACME server has stopped retrying validation queries for that challenge. Is this what the authors intended? Do folks agree that 'A challenge object with an error MUST have status equal to "invalid"' is a bug in the spec? (*) I wonder if I'm reading the state transition diagrams correctly... In section 7.1.6, the state transition diagram for authorization objects shows that "invalid" is a final state...right? But if that's the case, why does this sentence not list "invalid" as a final state? 'The order also moves to the "invalid" state if it expires or one of its authorizations enters a final state other than "valid" ("expired", "revoked", or "deactivated").' -- Rob Stradling Senior Research & Development Scientist Sectigo Limited
- [Acme] Retrying challenges - spec bug? Rob Stradling
- Re: [Acme] Retrying challenges - spec bug? Rob Stradling