[Acme] Hash algorithms for challenges
Logan Widick <logan.widick@gmail.com> Tue, 07 March 2017 22:40 UTC
Return-Path: <logan.widick@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D154B127058 for <acme@ietfa.amsl.com>; Tue, 7 Mar 2017 14:40:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c9cMpbgMqGB7 for <acme@ietfa.amsl.com>; Tue, 7 Mar 2017 14:40:50 -0800 (PST)
Received: from mail-pg0-x22b.google.com (mail-pg0-x22b.google.com [IPv6:2607:f8b0:400e:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCCC4120726 for <acme@ietf.org>; Tue, 7 Mar 2017 14:40:50 -0800 (PST)
Received: by mail-pg0-x22b.google.com with SMTP id 187so5461444pgb.3 for <acme@ietf.org>; Tue, 07 Mar 2017 14:40:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=tQTQTCLcQ9iViWq10Bqxj6f0xuzxwaoinceM/83voew=; b=lAe+hmXLS4NZuH2LjsD4oStwqOHqsYamSjFb04EFrJZAxv2e+6xoAEQtGfQMuq8Ech wbyQ8QErTkL0YukC4Pj3/tUEa30by7gGGVUHtsSWoSwRTlp5U26Y8F7unPw5LBakU14u bV23g5S+sN0j6rhQoE5uSn/qj5St9tZztF2vk8wZrflMLH+gnSPEAxzvvIwbs9VZYH/c kFfR62fkr29O47YNczfzb+EA66+DfDuSt79ZEqdf9WLCu/H98OjyVsU1aXQka6ywEtil 0CAAilRIsd5G1Ip12EfJotSgvmM022xwh5VYfygGA+91YvZUAW+H7xEvDcvczE8V4xR+ xf+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=tQTQTCLcQ9iViWq10Bqxj6f0xuzxwaoinceM/83voew=; b=R2/I7B1vF/lIaCpxmuBGvYn79W9xNQibhC5FnCbsiUZGIBNAw5EJywgo1+xSWK0ryR CjsPUf6po8frzIVTeIiTPWUTBfqjb84lgZpFCzqdUjmLzIMxOzV61lX9QHzOTyReQ4dY vVirWsM0WER5INGv9DTOn+D/PtFAjSwsyboIAj5HRPAGtECuUvB48uc8vHRwCc+mpJPy 4S2EN+iN2UqjAag0WctMi2JUlZsuoqBraTjWNr8jv9Pqa/1OeyWBw2Qlzh7zXmoq8rtZ 8LcNGklGCxlejIlmPV47jlriFOrtDYtE2WgL3BiG4lIU+5sFTGBRawjGD1k5MotqPdu2 sU+g==
X-Gm-Message-State: AMke39kh/PxUKaSXgleuGCr06EYA6V+YTQGQ1QdEdqTmFR9pcMtd6AKJ6xZmjPox12y5Z0ecM0UgwiDaFdNCKg==
X-Received: by 10.98.51.70 with SMTP id z67mr3112954pfz.68.1488926449950; Tue, 07 Mar 2017 14:40:49 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.130.129 with HTTP; Tue, 7 Mar 2017 14:40:49 -0800 (PST)
From: Logan Widick <logan.widick@gmail.com>
Date: Tue, 07 Mar 2017 16:40:49 -0600
Message-ID: <CAMmAzE+yqFXWVcgHmBGaGR21sx0a0-VUBogoFLxFcrvoFrwkYw@mail.gmail.com>
To: acme@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/EyB-H9PKXN72zLsyiT8pIzPh-R0>
Subject: [Acme] Hash algorithms for challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 22:40:54 -0000
I noticed that the challenges in the draft seem to be tied to the same hash algorithm (SHA-256). Would it be possible to have the the server include an array of supported hash algorithms, and then have the client specify which one of the server's supported algorithms is used in the response? This way, the hash algorithms can be changed when needed without changing the challenges themselves. For example, consider the following directory, modified to include the server's supported hash algorithms: { "new-nonce": "https://example.com/acme/new-nonce", //other standard URIs here "meta": { "terms-of-service": "https://example.com/acme/terms", "website": "https://www.example.com/", "caa-identities": ["example.com"], "hash-algorithms": ["SHA-256", "SHA-512"] }, Alternatively, the server's hash algorithms could be included in the challenges, like this: { "type": "http-01", "url": "https://example.com/authz/1234/0", "token": "DGyRejmCefe7v4NfDGDKfA", "hash-algorithms":["SHA-256", "SHA-512"] } Then, the client indicates the preferred hash algorithm (from the server's list) in the response: { "protected": base64url({ "alg": "ES256", "kid": "https://example.com/acme/acct/1", "nonce": "Q_s3MWoqT05TrdkM2MTDcw", "url": "https://example.com/acme/authz/asdf/0" }), "payload": base64url({ "type": "http-01", "keyAuthorization": "IlirfxKKXA...vb29HhjjLPSggwiE", "hash-algorithm": "SHA-256" }), "signature": "9cbg5JO1Gf5YLjjz...SpkUfcdPai9uVYYQ" } For compatibility with existing implementations, the default hash algorithm if none is specified could be SHA-256. Sincerely, Logan Widick
- [Acme] Hash algorithms for challenges Logan Widick
- Re: [Acme] Hash algorithms for challenges Martin Thomson
- Re: [Acme] Hash algorithms for challenges Salz, Rich
- Re: [Acme] Hash algorithms for challenges Richard Barnes