Re: [Acme] Repeated tokens for different challenges in same authorization
Russ Housley <housley@vigilsec.com> Mon, 13 February 2017 20:20 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9701F1298BD for <acme@ietfa.amsl.com>; Mon, 13 Feb 2017 12:20:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RTC7Uq7SsYBV for <acme@ietfa.amsl.com>; Mon, 13 Feb 2017 12:20:07 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A6B5129869 for <acme@ietf.org>; Mon, 13 Feb 2017 12:20:07 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id DCA64300436 for <acme@ietf.org>; Mon, 13 Feb 2017 15:20:06 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id GCHtyS3KXFOA for <acme@ietf.org>; Mon, 13 Feb 2017 15:20:05 -0500 (EST)
Received: from [64.170.98.129] (unknown [64.170.98.129]) by mail.smeinc.net (Postfix) with ESMTPSA id 73DEB30024D; Mon, 13 Feb 2017 15:20:05 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <8874ad56-e981-c514-88c6-a52d370144cd@eff.org>
Date: Mon, 13 Feb 2017 15:20:01 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <C518BF91-F7C2-4774-B50E-B9D423AEDD49@vigilsec.com>
References: <8874ad56-e981-c514-88c6-a52d370144cd@eff.org>
To: Jacob Hoffman-Andrews <jsha@eff.org>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/SBMKVIh4w3ojWTlRnqNE0sxrTe4>
Cc: IETF ACME <acme@ietf.org>
Subject: Re: [Acme] Repeated tokens for different challenges in same authorization
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2017 20:20:08 -0000
> In the WGLC thread, Russ asked: > >> In Section 6.5, should the example use different challenges for "http-01", "tls-sni-02", and "dns-01"? > (https://ietf-wg-acme.github.io/acme/#rfc.section.6.5) > > I assume you meant "token" here, and no, I think the token can be the same across multiple challenges for the same authorization. Boulder (Let's Encrypt's implementation) doesn't currently do this, but will in the future. If you think there's a risk in this, please let us know! I do not think it is a risk with the authorizations that have been defined. I was wondering about a situation where a client make a mistake. If a client tries to fulfill one of the authorizations and for some reason is unable to do so completely, and then moves to another authorization, can the half-done first authorization cause a problem. Russ
- [Acme] Repeated tokens for different challenges i… Jacob Hoffman-Andrews
- Re: [Acme] Repeated tokens for different challeng… Russ Housley
- Re: [Acme] Repeated tokens for different challeng… Jacob Hoffman-Andrews