IETF Logo Mail Archive

[Acme] Inconsistent example URL for acknowledging that a challenge can be validated by the server

"Pinter, Jannis" <Jannis.Pinter@secorvo.de> Mon, 22 October 2018 15:09 UTC

Return-Path: <jannis.pinter@secorvo.de>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2974B124C04 for <acme@ietfa.amsl.com>; Mon, 22 Oct 2018 08:09:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tiXxgvR43u34 for <acme@ietfa.amsl.com>; Mon, 22 Oct 2018 08:09:52 -0700 (PDT)
Received: from mx01.secorvo.de (mx01.secorvo.de [85.115.15.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D460124BE5 for <acme@ietf.org>; Mon, 22 Oct 2018 08:09:52 -0700 (PDT)
From: "Pinter, Jannis" <Jannis.Pinter@secorvo.de>
To: "acme@ietf.org" <acme@ietf.org>
CC: Hans-Joachim Knobloch <hans-joachim.knobloch@secorvo.de>
Thread-Topic: Inconsistent example URL for acknowledging that a challenge can be validated by the server
Thread-Index: AdRqGLu1AArY8JArRmG8OBA6qzc/EA==
Date: Mon, 22 Oct 2018 15:09:42 +0000
Message-ID: <d7a98d9e9df74682acd4333aa26476f9@secexch.secorvo.de>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-c2processedorg: ff1afba2-2b79-4b6e-b543-e37ac5bd6ba0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/V0UBH4WnZMctQHzyOoY7my17lYQ>
X-Mailman-Approved-At: Mon, 22 Oct 2018 09:09:23 -0700
Subject: [Acme] Inconsistent example URL for acknowledging that a challenge can be validated by the server
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2018 15:11:28 -0000

I am currently implementing an ACME compatible software and working my way through the latest draft version 16 (draft-ietf-acme-acme-16). I have noticed that with version 16 of the draft, you have randomized the URLs that are used in the examples and moved certain challenge related functionality from /acme/authz/ to a dedicated /acme/chall/ path.

I think I have spotted an inconsistency related with that change while studying how a client responds to the server to acknowledge that a challenge can be validated.

In section 8.3. HTTP Challenge, the destination URL in the provided example was changed from "/acme/authz/1234/0" to "/acme/authz/PAniVnsZcis/0" whereas in section 8.4. DNS Challenge, the destination URL in the provided example was changed from "/acme/authz/1234/2" to "/acme/chall/Rg5dV14Gh1Q".

I guess that line 32 on page 60 should be:
	POST /acme/chall/prV_B7yEyA4
instead of:
	POST /acme/authz/PAniVnsZcis/0

This is also defined in section 7.5.1.  Responding to Challenges where the draft clearly says "[...] carried in a POST request to the challenge URL (not authorization URL)." Otherwise there are now two ways of acknowledging that a challenge can be validated and it is not clear which one can be used with which challenge type.

I may be completely wrong on this and the behavior is intended the way it is described in the current draft. However, I was just wondering whether this is a mistake or actually correct.

v2.23.0 | Report a Bug | By Email