Re: [Acme] various issues with the spec

Stefan Bühler <> Sat, 13 June 2015 21:21 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B2E811B29A9 for <>; Sat, 13 Jun 2015 14:21:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.339
X-Spam-Level: *
X-Spam-Status: No, score=1.339 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id W5GRjRKPg4iY for <>; Sat, 13 Jun 2015 14:21:27 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 66B1C1B29A7 for <>; Sat, 13 Jun 2015 14:21:27 -0700 (PDT)
Received: from chromobil.localdomain (unknown [IPv6:2a02:8070:a18c:cc00:baca:3aff:fed7:a10a]) by (Postfix) with ESMTPSA id E58CEB8039A for <>; Sat, 13 Jun 2015 21:21:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=stbuehler1; t=1434230484; bh=VAHgB+0tfRnhYfvnxKsdkRoXW+7uZezIxf/AadnDDRk=; h=Date:From:To:Subject:In-Reply-To:References:From; b=p9oMDg26WTm+xn98aW+G3vE0oEoMiog9ZzqhHBTN/eEPS+mStZaROlT5TAbCX1Ef3 WlT6ut1k/lZas4TzUwQlWtF8UkjxsJ3ZE0XtFU1ENcDeonSLcZe97/f9O404yO1WUT w2iGhLihCHjyy/7LYfl838PDt6mXWzEZKBI3TiMI=
Date: Sat, 13 Jun 2015 23:21:21 +0200
From: Stefan =?UTF-8?B?QsO8aGxlcg==?= <>
Message-ID: <20150613232121.51f292af@chromobil.localdomain>
In-Reply-To: <20150609221325.63935a29@chromobil.localdomain>
References: <20150609221325.63935a29@chromobil.localdomain>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Acme] various issues with the spec
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 13 Jun 2015 21:21:29 -0000

Hi again,

now that I realized the link to the "Latest Version" doesn't
actually point to the latest version I'm updating my issue list.

As it doesn't look like there is anyone interested in them on this
mailing list I'll keep them to myself, or post them to github when I
find the time.

On Tue, 9 Jun 2015 22:13:25 +0200
Stefan Bühler <>; wrote:

> Hi all,
> I've been working on a my own acme client (written in Go).
> There are some issues I came across, and I thought I'd list them here.
> They are too many to write separate mails for each one :)
> * Updating registrations: sending empty "contact" and "agreement"
> should actually reset them (if allowed) compared to not sending them,
> which should just keep them as they are (and this should be
> documented, not just happen to be an implementation detail).
>   This also means a user can officially query the registration by
>   POSTing an empty (signed) JSON object to the registration URI.
> * A registration update response should include the rel="next" link
> and the rel="terms-of-service" link, if it would have been sent for a
> new registration.
> * The "success" status code for updates should be documented. Right
> now it seems to be "202 Accepted"
> * There should be a way to list all authorizations for a registration,
>   and also a way to list all certificates authorized by an
>   authorization.
> * simpleHttps cannot require the https certificate to use the public
>   key of either registration or the "future" key; the registration
>   private key should never be available to the web server, and the
>   "future" key is not given at that stage.
>   Whether https or http is used doesn't matter much here; although I
>   see no reason not to require https - it makes MITM harder, because
> an attacker risks getting caught.
> * The simpleHttps path should be more restricted to prevent path
>   traversals. (
> * dvsni should not require the target domain to be part of the
>   certificate; some TLS implementations have quite nice SNI support by
>   automatically selecting a matching certificate.
>   During the process of authorization you don't want to break your
>   normal setup by accidentally using the dvsni certificate.
> * 5.5 `If the final state is "valid", ... or add a "recoveryToken"
>   field.`
>   There is currently no way for a client to see "private" information
>   about a authorization, as it doesn't support a (signed) POST
> request.
>   I think it would be a good idea to define "private" (and completely
>   hidden, see below) fields in an authorization request which can only
>   be seen by the currect signed request - for example the "key" field
>   (which isn't listed by a GET request) and such "recoveryToken"
> field.
> * 6.3. Recovery Contact: `using contact information provided by the
>   client in a prior authorizationRequest message.` - I don't see any
>   way to provide such contact information - the contact information is
>   only provided in the registration, not in the authorization.
>   5.5 mentions a "recoveryToken", which would be provided by the
>   server, not the client!
> * 6.4. Recovery Token: the server must never show the token used to
>   satisfy the challenge.
>   That way an authorization can be passed on to a different user, i.e.
>   someone else tells me the URL to post my registration recovery token
>   to, enabling them to takeover the domain without me having to give
>   them my recovery token.
> * What happens to an expired authorization? Do users create new
>   authorizations or reuse the old one?
>   The same user should get redirected to an existing authorization
> when trying to create a new one for the same identifier (of course you
>   shouldn't redirect to an authorization by a different user).
> * Updates should use (or at least allow) "PUT" instead of "POST", as
>   they should be idempotent.
> * Please document the various "status" more detailed (possible values
>   and their interpretations)
> * Please document the generic fields a challenge has ("type",
> "status", "url", "validated").
> I didn't start working on certificates yet, so there might be more; I
> also only had a closer look at simpleHttps and dvsni so far, not at
> the other challenge types.
> Best regards,
> Stefan
> _______________________________________________
> Acme mailing list