Re: [Acme] Retrying challenges - spec bug?
Rob Stradling <rob@sectigo.com> Thu, 23 May 2019 09:56 UTC
Return-Path: <rob@sectigo.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57AB7120175 for <acme@ietfa.amsl.com>; Thu, 23 May 2019 02:56:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A28bqCYHd7GP for <acme@ietfa.amsl.com>; Thu, 23 May 2019 02:56:54 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0600.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe45::600]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BC6012018A for <acme@ietf.org>; Thu, 23 May 2019 02:56:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector1-comodoca-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8K588JhLuAG+f0RxOEti0yA+syIxC5KGP1t4BcA4dFY=; b=Aw+uDE/GB+6RML3Puv1bMkC8+oKOon1RuZs3Af4dL4gDF9qcolbE1Thmsp0xf7/CW5o5FinxIcGZm/aSa6B0z5Z4fLRh22ggdnqRZp8Nrt6pJOjFVAToKvrD1dGKbJiiGbgwW9StYS6rhpbQRBVusRZ1zbu6W/LOkIGYaHPsjm4=
Received: from DM6PR17MB2251.namprd17.prod.outlook.com (20.176.92.149) by DM6PR17MB2921.namprd17.prod.outlook.com (20.178.228.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1922.15; Thu, 23 May 2019 09:56:53 +0000
Received: from DM6PR17MB2251.namprd17.prod.outlook.com ([fe80::f96d:65b0:2e92:c71a]) by DM6PR17MB2251.namprd17.prod.outlook.com ([fe80::f96d:65b0:2e92:c71a%5]) with mapi id 15.20.1922.017; Thu, 23 May 2019 09:56:53 +0000
From: Rob Stradling <rob@sectigo.com>
To: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] Retrying challenges - spec bug?
Thread-Index: AQHVDwtqr4lU5kzaZEiWRcfcQh0cOaZ4fZSA
Date: Thu, 23 May 2019 09:56:53 +0000
Message-ID: <06ed331e-c3a4-02fe-5278-8d5a37be1ee9@sectigo.com>
References: <f0ecc1c3-0358-1896-3d5a-20591f74679e@sectigo.com>
In-Reply-To: <f0ecc1c3-0358-1896-3d5a-20591f74679e@sectigo.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: LO2P123CA0006.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:a6::18) To DM6PR17MB2251.namprd17.prod.outlook.com (2603:10b6:5:b9::21)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rob@sectigo.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2a0e:ac00:12e:8180:f68e:38ff:fe7a:a226]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a8446e5b-ad71-45e7-bdbd-08d6df64fb89
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:DM6PR17MB2921;
x-ms-traffictypediagnostic: DM6PR17MB2921:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <DM6PR17MB2921625224A7319B1146948AAA010@DM6PR17MB2921.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 00462943DE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(376002)(39850400004)(396003)(136003)(346002)(189003)(54094003)(199004)(316002)(14444005)(68736007)(256004)(966005)(14454004)(478600001)(99286004)(31686004)(5660300002)(305945005)(2351001)(2501003)(8936002)(7736002)(81156014)(81166006)(8676002)(1730700003)(36756003)(71200400001)(71190400001)(53936002)(6246003)(25786009)(66946007)(386003)(2906002)(186003)(66446008)(64756008)(66556008)(66476007)(6506007)(53546011)(6916009)(73956011)(31696002)(86362001)(6436002)(6116002)(6512007)(6486002)(52116002)(5640700003)(102836004)(6306002)(76176011)(229853002)(476003)(11346002)(446003)(486006)(46003)(2616005); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR17MB2921; H:DM6PR17MB2251.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: sectigo.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 0yhd7tzzSFMgFjXphP0XtuI8dvjuV1DGdbtRV9pMWhrU6+Qbvog6j0TkXSmmQrC+HJe95vGe9UDjwPj/+XR5pj9Zar5B7dYs1BVWyz9Jb1TECDzHrL0F0Ma9EXELyN2RJwEIQ3NYmZh/iS5PXXPjiqWBHQJi5LdkjdO4OcxVDU+84+Y1gGbWT8IXZ3A3UAflRzj9Gv7YbdrhXxRurYmGUfp0O6M06CEIxItM3qLD29wwR2r8iyCBoMJtTaff+mQTufW/U/c2GZAlhnkKlifi14Qm5cRqQoLQQoh0yNdBl1Tpc1+FadcsXn5J9iY42cxASCqB6At7R4gpm4l76wCo1tjSsZBzbAPwolBWPN5h1OT2LzLWRiSUMH1HrrIpwfNQhvDb1WNDFMWVy/E+SC9tbIxlickXTFWPNlQT7qwblGE=
Content-Type: text/plain; charset="utf-8"
Content-ID: <E5F7B505638178449A928712F34A59D4@namprd17.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a8446e5b-ad71-45e7-bdbd-08d6df64fb89
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 May 2019 09:56:53.3103 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: robs@comodoca.net
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR17MB2921
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/FncBd1SxbaRr-NXfxik7o4R1u_c>
Subject: Re: [Acme] Retrying challenges - spec bug?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2019 09:56:57 -0000
I've filed an erratum for this as well: http://www.rfc-editor.org/errata/eid5732 On 20/05/2019 13:56, Rob Stradling wrote: > https://tools.ietf.org/html/rfc8555#section-8.2 says: > 'The server MUST add an entry to the "error" field in the challenge > after each failed validation query.' > > And https://tools.ietf.org/html/rfc8555#section-8 says: > 'A challenge object with an error MUST have status equal to > "invalid".' > > The state transition diagram for challenge objects > (https://tools.ietf.org/html/rfc8555#section-7.1.6) appears to > indicate(*) that "invalid" is a final state for a challenge object, > meaning that it is no longer possible for it to transition to "valid" > and that retrying the challenge would therefore be pointless. > > ISTM that the "error" field could be a very useful feedback mechanism > inbetween retries, and that a challenge should only go to the "invalid" > state once the ACME server has stopped retrying validation queries for > that challenge. Is this what the authors intended? > > Do folks agree that 'A challenge object with an error MUST have status > equal to "invalid"' is a bug in the spec? > > > (*) I wonder if I'm reading the state transition diagrams correctly... > In section 7.1.6, the state transition diagram for authorization objects > shows that "invalid" is a final state...right? But if that's the case, > why does this sentence not list "invalid" as a final state? > > 'The order also moves to the "invalid" state if it expires or one of > its authorizations enters a final state other than "valid" > ("expired", "revoked", or "deactivated").' > -- Rob Stradling Senior Research & Development Scientist Sectigo Limited
- [Acme] Retrying challenges - spec bug? Rob Stradling
- Re: [Acme] Retrying challenges - spec bug? Rob Stradling