[Acme] Mail regarding craft of hash for draft-ietf-acme-dns-account-challenge

Seo Suchan <tjtncks@gmail.com> Fri, 02 February 2024 07:35 UTC

Return-Path: <tjtncks@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3298AC14F684 for <acme@ietfa.amsl.com>; Thu, 1 Feb 2024 23:35:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.606
X-Spam-Level:
X-Spam-Status: No, score=-1.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yqeMy55J4z35 for <acme@ietfa.amsl.com>; Thu, 1 Feb 2024 23:35:55 -0800 (PST)
Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15136C14F61D for <acme@ietf.org>; Thu, 1 Feb 2024 23:35:55 -0800 (PST)
Received: by mail-pl1-x635.google.com with SMTP id d9443c01a7336-1d93f2c3701so10808115ad.3 for <acme@ietf.org>; Thu, 01 Feb 2024 23:35:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706859354; x=1707464154; darn=ietf.org; h=content-transfer-encoding:autocrypt:from:content-language:subject :to:user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=/i4N8Nbk6b4FJx0HdaIqLuKoSvsysaiWo4Mc0ZI6lP0=; b=QunTtUm2mUGE5T0rY8RWBH2ZMB2FRKzj6P1FOPbEXxHK23N+AgFd++q9CwDZgZ4uXQ ePyhFe60HvWMEZ12o6RKnO80GI4jfTVrP2KWz89S0txwS0ssYOpSlkpxPRsuJi2txRcj /nNB3sPW7uMvickywH89NSHOLAs6KmnXE3/abP9I+qbSdZRLVGKCGUcxKmj71CRfqoUW oIkMO+AcK82rMCoxdYe6VAVbS6nCU2dJcfysek/Llr/Q3G35/mgcOv8SIdC9zUGKOeLx CTzNZ39+Rg//veQeAgeaKHvfJalP+s7tdXJOGhA6+oGnTLRNAJfotlytKABprFAkQHzt AIdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706859354; x=1707464154; h=content-transfer-encoding:autocrypt:from:content-language:subject :to:user-agent:mime-version:date:message-id:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=/i4N8Nbk6b4FJx0HdaIqLuKoSvsysaiWo4Mc0ZI6lP0=; b=pKfXqZXemPW+jakCdfP0FPbeeG412VNVi9KSTnbzR6MyJEp5aChALuXNVjmBk4Y5vm 5faZqJZgeZnamtZdmlF3MiORm6qe5QIchCu7UwkMd5BSkNhAz2J2Z8O/o70YugWmCDQQ 1IE30rJyHFidQrUfl7iLt3+144xtzomCyEI2iHhYJ7e0opiD4zWTL6lNMzTrNs073ydQ JgBO+b81G/FH7YqYuA3FtCb4aNnNB2siQdxIfpzx9OXSSdzXQqsoP57QCYtIZH8HnkNc 9ex4fmSRiCZWqhZXY2jjdNQ9zHSxOt2AFiVhEJITv/EXx6+PWmF5uO5mlLrRD2LbjJ7o +RqQ==
X-Gm-Message-State: AOJu0Yy6XjFxgh0Cm/PKMivKxgV8D6A7dnDTkhOcAiH9uKtvgZ2Y8V/t /3l9eCMT+zjQIP8tMnzNCnkijHHSPqaEvRA2l7QCyNaGbPWKY3wL88XkBOkK4vRq1w==
X-Google-Smtp-Source: AGHT+IHG05DAyFPC6N6tdtyqo6T1QyU9q2F5qlHdMGdL7F+26sjkcRcpaOCdM/n9OO0QbUbjmswwig==
X-Received: by 2002:a17:902:ea0c:b0:1d9:4e3b:db0a with SMTP id s12-20020a170902ea0c00b001d94e3bdb0amr5621799plg.43.1706859354013; Thu, 01 Feb 2024 23:35:54 -0800 (PST)
Received: from [192.168.9.2] ([14.6.123.220]) by smtp.gmail.com with ESMTPSA id c5-20020a170902c1c500b001d965cf6a9bsm942761plc.252.2024.02.01.23.35.53 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 01 Feb 2024 23:35:53 -0800 (PST)
Message-ID: <31b872f6-2ced-41b3-b22c-58ae89058570@gmail.com>
Date: Fri, 02 Feb 2024 16:35:51 +0900
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: acme@ietf.org
Content-Language: en-US, ko
From: Seo Suchan <tjtncks@gmail.com>
Autocrypt: addr=tjtncks@gmail.com; keydata= xsDNBGN7GSUBDACv4kxByGqR6X+g16a+ZGb/I4ahDx2I8ZSDLro/bdnzeF4sxc50TeQAwk7F gFx9UYj0x5FXZTTkkhk1VysfS/ZRtr9LDJ8ZGrDX/kcyNRYdXbPYwnMd7A6eAS2NEcMpgh1z JEo8WA+rVgSoc7nNdHR8WpCgtuBZs3j08+3LzfSbuCFXNxf/mMU6+1fqBBqkUGb8z1b6Jcmi 9D3PLiVIOnyj5HcNEKKz18gKWr5HrM9MUpRHciTP0Z5/wR/KlEYbb7lI7lSiEM3F5wsPnfDV F52GX1x6d/j8swWech/N6h42mm2MNdU5K17Ob0j+u4X0ZVQjBSNpSYLkgOhIwZ1x2UaMrUbC ouPrCEVOD7bWCyBFYpsiiJ0B/Nauu2G8sJDLpyeH9QA431+XQ5wj2TwTreqC/KpMWc+ikTyt YKmGoLzY93rakDsPw7fXm3Cve2mZ0qBj2XRTClsM/6x0p3ghj4wynA+UJ2N4vJ0V4qILEyAF A+3XGEpN0BtNCWiqO8PwtMMAEQEAAc0eU2VvIFN1Y2hhbiA8dGp0bmNrc0BnbWFpbC5jb20+ wsEHBBMBCAAxFiEExSjWMeUiRmfe1PiS7Lo6Jc7pimkFAmN7GSUCGwMECwkIBwUVCAkKCwUW AgMBAAAKCRDsujolzumKae2rC/9UPZIY36sVDh/fuNs6z7Y4SF8nvfNIkkAdeD891sju2rUd kri3OFUlMGJDLfGjth+ZZPb94CndO+vFql94VyEIiI8q6OGwlNM7L3cntV8vSCo9i8OVsNvM S8PjDlqRqcq/tm0kX9q4ELxQtsBqSgTREVHNb8PTMHn7mPlZIuFkx6H4zGtyQxMmz5TH4rH/ jrW6vtJn+yFwnt8rux0hpOU7UNyA0BmGiJOD44oHgb/knrexJ+KQY4mVf/Bgzuarfqnp3JSB R6HxMk3px+gH/oz35vVTJNqKJN2Lt4Vo/ku1YzyLAjE+wPp+8zJjTEAZyBhxTp9kVci41blw J+PR6GY/JjlVw0mC8Ab8G3uLj5NvOTnP2rbFHmO9ecWNEP/7xN8rQy0s7r8ojJrarj+tZwpk 2AP5QLwLHNKwHwsqPk6+96/c6ANYdflQl8uOvLPAXEayBmbEYo/KownLgp3B41iaIqYCRpVv Fxux/zSK32QCbnTsfHOu/NlRpq4VfXll6SnOwM0EY3sZJgEMAOOp2sC96VCGwDluPA1MTtWS ptbvr2s4MBBCfYIDQAqpW9Zhuaj+tH2Z8OYlgf6U5WouhlaxDrKIrVNn1uFjZFmoC89NmlnQ hEDxzXa8sRzudrxsPrZTagDIOKm/DQW6OUZi9TuduoQ+xHZMpc4H56bueWOzitzNPqogf0D0 z3qu1UUqR1+w+dnoSlV5y75cW6eX9bZeXR9Zqimv2Q/WjPAFphPMG+WD4+kpsPKodQGhArmx WDkM+tu/n/U88vrUnzjCfs+qt69a5lZSGodf/YzkGaeZpXmzX1OIBjVMEe4++6euhWSkS/c7 RZeHVUaebOj9vP713I6iHMiPOOTpvatlxK8gxIsY9gBerEymgtd9JjbWS7mLRt8Inn8A4mIK 9/30R57f33heKZ5xgqxgBdAHmtrh/13bTw0r6Sh/3izQyN+WGjiJqbpSnvuGtqaSB93gbpLK U8Px8VcaWOuY5WKkE2t/rSU5w27Kf72a79LWnSJ+l8jv1fFnhmigkqH0+QARAQABwsD2BBgB CAAgFiEExSjWMeUiRmfe1PiS7Lo6Jc7pimkFAmN7GSYCGwwACgkQ7Lo6Jc7pimkY8Av+OGVS 59yLCXxr5UK3SPZrh8KcyQQdqqpMW7UDse8Fo6shXWL9VAh26gFhfaKo6seAHCeedSDhVvop FkoxpWM+TK8dEMZBD+Xru3gEhQW7lBGn45E0AHPIe/trXDidGRXC4HDJ1Xk8aavfGSBMnc6M nmwm23VjDXppKEhjk+iEUWwiDxzeahV63KkcWIXx/j+IBnXwMi7HkXEK5dVWP9kuM5d8soIb BbEZ2fl4IJNjy+SBWK6/fR+WgxfWLth5f/mIBm1nsF7UUXDjOS5ZR918cKtoK6VZaWZu/N6C aAVD4gZtOZCParum5cMx79ggrfQxOqVCcfmxM43aroOB6bElAe34t+F/cD9bxCVspJ37RsAW dS7rT7WyCfQPlP4Szf4XAQoVdfiszKPUdTCrnvMKHqnPP0JD6SmK67e1uF4gKZKs3X5qOiF6 CQZ+JBWAq4BxoUfqpkuPsD5m82P7eWO66SzztUJp5BJ47wRBdmGyizGb9Hc9ro+61/QeLCtD Yyjs
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/T0xvnDbiy8CQL632a4Uv6D0ZVHg>
Subject: [Acme] Mail regarding craft of hash for draft-ietf-acme-dns-account-challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2024 07:35:57 -0000

for some ACME servers they have multiple allowed acme endpoint domains, 
and server doesn't know what domain name client used to access its API 
duce don't have full accounturl that used to craft challenge subdomain:

like boulder (what Let's encrypt uses) allows to accessed from mulitple 
path ex:

"accountURIPrefixes": [
"http://boulder.service.consul:4000/acme/reg/",
"http://boulder.service.consul:4001/acme/acct/"
         ]

  , and pebble and smallstep do not have host in config but allow any ip 
or domain pointed to them and reflect them to create link to 
account/order/ect

would only using userid part of accountURL (ExampleAccount) from 
https://example.com/acme/acct/ExampleAccount have problem? while it's 
trivial to extract from hash to accounturl as accountID was 
autoincrementing counter, but was there are so few large acme provider 
it was trivial to make rainbow table anyway.