Re: [Acme] Mail regarding craft of hash for draft-ietf-acme-dns-account-challenge

Seo Suchan <tjtncks@gmail.com> Sat, 03 February 2024 08:59 UTC

Return-Path: <tjtncks@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48C64C14F702 for <acme@ietfa.amsl.com>; Sat, 3 Feb 2024 00:59:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.601
X-Spam-Level:
X-Spam-Status: No, score=-1.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OBAzfBsbp6kW for <acme@ietfa.amsl.com>; Sat, 3 Feb 2024 00:59:55 -0800 (PST)
Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A2CAC14F60A for <acme@ietf.org>; Sat, 3 Feb 2024 00:59:50 -0800 (PST)
Received: by mail-pg1-x529.google.com with SMTP id 41be03b00d2f7-53fa455cd94so2128262a12.2 for <acme@ietf.org>; Sat, 03 Feb 2024 00:59:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706950789; x=1707555589; darn=ietf.org; h=in-reply-to:autocrypt:from:references:cc:to:content-language :subject:user-agent:mime-version:date:message-id:from:to:cc:subject :date:message-id:reply-to; bh=EyabJ0ysfiKY0LaN07NNBFK3hrUWMOkfTSwYjTiotA0=; b=FzAjzaAvE5WTL1VhUEJFWYj/1zNaX7A6lRfg6gHYWGaTPBIL9sEk8Cq65Oo6U3gLOf RMoB6JA9IFoP4CmCrWLWWygUL43Qt+F/EtlMHLZSSYzwddEKPc0EaONCnjpcZUujqUJT vxAVMsvq6xuDbZBXwxDAYdlARtTV6MPKkU63gsOM9+0hs59TIwS+hSxvU8+OmSUsLKp6 lUK9MqXOcMwB/YTwU0e2M/ZKS/o+rjqgU4AlcdURY6BS2P+XJLW6IM1gOT8HTbM29MaY wY2cDHgMpv9n/vcPODIdNlxKGP7+ofLv7xqMYwhCT5vy+JdFYnkOnnmgjWVowx6MDNg9 GNAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706950789; x=1707555589; h=in-reply-to:autocrypt:from:references:cc:to:content-language :subject:user-agent:mime-version:date:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=EyabJ0ysfiKY0LaN07NNBFK3hrUWMOkfTSwYjTiotA0=; b=az8BBPhIGNvxM5+xac3z2wn9fUJ6WKoe8KsWYAfiyNTiApEuYe06vAj6FM1nc8bFZQ v1gVD5w7bMrLSY31o4eEkXbREZTnrEbIORqvQeArdRt2b6CH5fLYVeRoZaAeK9hQnHoF olLPMTXp9Kn+YjxFlRjQ+4OkBMilm7X58e0UE2CnlImIRFT6HuumbnCzApcScToPSRu6 M/x487V/dGK6NqZZoR0ZsQZSzQHUimaezp0yImj3JQBj3wNJVW9BHEH4vJHOhlizJKUt cNa/GicGxhAwUWk5IkXGtuvi0RCsjc7x4/hBBo3CjOC9DLpWpcpDUQ21p2JPjAJudx9n 6Ncg==
X-Gm-Message-State: AOJu0YwdzNkoj/cmGeKNGpVNStgJo0DBxnXZpPfrZJCU0n/9oh/W29rc 1wmzPpbBoNisw71DvTn7XG7kXDOYLJ4uF6XYOWiA15PbPCP9pqMRwAFlXpyk
X-Google-Smtp-Source: AGHT+IGFYZhVcCQ/Lw7ZotJvZTEUbGe18WnqNS3GMlYk8ggfYmT4Tbm3uEYghvcjanc0t0HUH81r9Q==
X-Received: by 2002:a17:902:fc50:b0:1d9:7c1e:2f33 with SMTP id me16-20020a170902fc5000b001d97c1e2f33mr3807988plb.39.1706950789351; Sat, 03 Feb 2024 00:59:49 -0800 (PST)
Received: from ?IPV6:2406:5900:1038:12bf:e571:2505:e6b8:b962? ([2406:5900:1038:12bf:e571:2505:e6b8:b962]) by smtp.gmail.com with ESMTPSA id v3-20020a170902b7c300b001d99530e3eesm247573plz.282.2024.02.03.00.59.47 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 03 Feb 2024 00:59:48 -0800 (PST)
Content-Type: multipart/alternative; boundary="------------UKwgX6fUYtYhFlFF0Qwsuw05"
Message-ID: <ab7caac8-52b8-4416-9083-fe8533d51ec4@gmail.com>
Date: Sat, 03 Feb 2024 17:59:47 +0900
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US, ko
To: Amir Omidi <amir@aaomidi.com>
Cc: acme@ietf.org
References: <31b872f6-2ced-41b3-b22c-58ae89058570@gmail.com> <CAOG=JULrdnk4wYBKB-pfY4kXK=fF=ODi6PZ3wEj=zn7B4=nZXQ@mail.gmail.com>
From: Seo Suchan <tjtncks@gmail.com>
Autocrypt: addr=tjtncks@gmail.com; keydata= xsDNBGN7GSUBDACv4kxByGqR6X+g16a+ZGb/I4ahDx2I8ZSDLro/bdnzeF4sxc50TeQAwk7F gFx9UYj0x5FXZTTkkhk1VysfS/ZRtr9LDJ8ZGrDX/kcyNRYdXbPYwnMd7A6eAS2NEcMpgh1z JEo8WA+rVgSoc7nNdHR8WpCgtuBZs3j08+3LzfSbuCFXNxf/mMU6+1fqBBqkUGb8z1b6Jcmi 9D3PLiVIOnyj5HcNEKKz18gKWr5HrM9MUpRHciTP0Z5/wR/KlEYbb7lI7lSiEM3F5wsPnfDV F52GX1x6d/j8swWech/N6h42mm2MNdU5K17Ob0j+u4X0ZVQjBSNpSYLkgOhIwZ1x2UaMrUbC ouPrCEVOD7bWCyBFYpsiiJ0B/Nauu2G8sJDLpyeH9QA431+XQ5wj2TwTreqC/KpMWc+ikTyt YKmGoLzY93rakDsPw7fXm3Cve2mZ0qBj2XRTClsM/6x0p3ghj4wynA+UJ2N4vJ0V4qILEyAF A+3XGEpN0BtNCWiqO8PwtMMAEQEAAc0eU2VvIFN1Y2hhbiA8dGp0bmNrc0BnbWFpbC5jb20+ wsEHBBMBCAAxFiEExSjWMeUiRmfe1PiS7Lo6Jc7pimkFAmN7GSUCGwMECwkIBwUVCAkKCwUW AgMBAAAKCRDsujolzumKae2rC/9UPZIY36sVDh/fuNs6z7Y4SF8nvfNIkkAdeD891sju2rUd kri3OFUlMGJDLfGjth+ZZPb94CndO+vFql94VyEIiI8q6OGwlNM7L3cntV8vSCo9i8OVsNvM S8PjDlqRqcq/tm0kX9q4ELxQtsBqSgTREVHNb8PTMHn7mPlZIuFkx6H4zGtyQxMmz5TH4rH/ jrW6vtJn+yFwnt8rux0hpOU7UNyA0BmGiJOD44oHgb/knrexJ+KQY4mVf/Bgzuarfqnp3JSB R6HxMk3px+gH/oz35vVTJNqKJN2Lt4Vo/ku1YzyLAjE+wPp+8zJjTEAZyBhxTp9kVci41blw J+PR6GY/JjlVw0mC8Ab8G3uLj5NvOTnP2rbFHmO9ecWNEP/7xN8rQy0s7r8ojJrarj+tZwpk 2AP5QLwLHNKwHwsqPk6+96/c6ANYdflQl8uOvLPAXEayBmbEYo/KownLgp3B41iaIqYCRpVv Fxux/zSK32QCbnTsfHOu/NlRpq4VfXll6SnOwM0EY3sZJgEMAOOp2sC96VCGwDluPA1MTtWS ptbvr2s4MBBCfYIDQAqpW9Zhuaj+tH2Z8OYlgf6U5WouhlaxDrKIrVNn1uFjZFmoC89NmlnQ hEDxzXa8sRzudrxsPrZTagDIOKm/DQW6OUZi9TuduoQ+xHZMpc4H56bueWOzitzNPqogf0D0 z3qu1UUqR1+w+dnoSlV5y75cW6eX9bZeXR9Zqimv2Q/WjPAFphPMG+WD4+kpsPKodQGhArmx WDkM+tu/n/U88vrUnzjCfs+qt69a5lZSGodf/YzkGaeZpXmzX1OIBjVMEe4++6euhWSkS/c7 RZeHVUaebOj9vP713I6iHMiPOOTpvatlxK8gxIsY9gBerEymgtd9JjbWS7mLRt8Inn8A4mIK 9/30R57f33heKZ5xgqxgBdAHmtrh/13bTw0r6Sh/3izQyN+WGjiJqbpSnvuGtqaSB93gbpLK U8Px8VcaWOuY5WKkE2t/rSU5w27Kf72a79LWnSJ+l8jv1fFnhmigkqH0+QARAQABwsD2BBgB CAAgFiEExSjWMeUiRmfe1PiS7Lo6Jc7pimkFAmN7GSYCGwwACgkQ7Lo6Jc7pimkY8Av+OGVS 59yLCXxr5UK3SPZrh8KcyQQdqqpMW7UDse8Fo6shXWL9VAh26gFhfaKo6seAHCeedSDhVvop FkoxpWM+TK8dEMZBD+Xru3gEhQW7lBGn45E0AHPIe/trXDidGRXC4HDJ1Xk8aavfGSBMnc6M nmwm23VjDXppKEhjk+iEUWwiDxzeahV63KkcWIXx/j+IBnXwMi7HkXEK5dVWP9kuM5d8soIb BbEZ2fl4IJNjy+SBWK6/fR+WgxfWLth5f/mIBm1nsF7UUXDjOS5ZR918cKtoK6VZaWZu/N6C aAVD4gZtOZCParum5cMx79ggrfQxOqVCcfmxM43aroOB6bElAe34t+F/cD9bxCVspJ37RsAW dS7rT7WyCfQPlP4Szf4XAQoVdfiszKPUdTCrnvMKHqnPP0JD6SmK67e1uF4gKZKs3X5qOiF6 CQZ+JBWAq4BxoUfqpkuPsD5m82P7eWO66SzztUJp5BJ47wRBdmGyizGb9Hc9ro+61/QeLCtD Yyjs
In-Reply-To: <CAOG=JULrdnk4wYBKB-pfY4kXK=fF=ODi6PZ3wEj=zn7B4=nZXQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/7-Z6A8HGyvBj7O3LD725KvyBmiM>
Subject: Re: [Acme] Mail regarding craft of hash for draft-ietf-acme-dns-account-challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Feb 2024 08:59:59 -0000

if it's stable but has multiple valid path (ex: acme-v1.ca.com and 
acme-v2.ca.com) , would server need try for both subdomain and lookup 
every possible valid path?

2024-02-03 오전 1:35에 Amir Omidi 이(가) 쓴 글:
> From my understanding, under ACME we treat that entire accountURL as 
> the userID. So I think that URL will need to be stable.
>
> On Fri, Feb 2, 2024 at 2:36 AM Seo Suchan <tjtncks@gmail.com> wrote:
>
>     for some ACME servers they have multiple allowed acme endpoint
>     domains,
>     and server doesn't know what domain name client used to access its
>     API
>     duce don't have full accounturl that used to craft challenge
>     subdomain:
>
>     like boulder (what Let's encrypt uses) allows to accessed from
>     mulitple
>     path ex:
>
>     "accountURIPrefixes": [
>     "http://boulder.service.consul:4000/acme/reg/",
>     "http://boulder.service.consul:4001/acme/acct/"
>              ]
>
>       , and pebble and smallstep do not have host in config but allow
>     any ip
>     or domain pointed to them and reflect them to create link to
>     account/order/ect
>
>     would only using userid part of accountURL (ExampleAccount) from
>     https://example.com/acme/acct/ExampleAccount have problem? while it's
>     trivial to extract from hash to accounturl as accountID was
>     autoincrementing counter, but was there are so few large acme
>     provider
>     it was trivial to make rainbow table anyway.
>
>     _______________________________________________
>     Acme mailing list
>     Acme@ietf.org
>     https://www.ietf.org/mailman/listinfo/acme
>