Re: [Acme] various issues with the spec

Stefan Bühler <> Sat, 13 June 2015 22:24 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 534951B3112 for <>; Sat, 13 Jun 2015 15:24:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.339
X-Spam-Level: *
X-Spam-Status: No, score=1.339 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uksp7BYUBTWO for <>; Sat, 13 Jun 2015 15:24:39 -0700 (PDT)
Received: from ( [IPv6:2a01:4f8:a0:2276::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CF5021B3114 for <>; Sat, 13 Jun 2015 15:24:38 -0700 (PDT)
Received: from chromobil.localdomain (unknown [IPv6:2a02:8070:a18c:cc00:baca:3aff:fed7:a10a]) by (Postfix) with ESMTPSA id 9BEBCB8039A for <>; Sat, 13 Jun 2015 22:24:36 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=stbuehler1; t=1434234276; bh=nGj6xu5a9gGAGH9XHSIhIHj17VRkT0lsNspALmtoLIY=; h=Date:From:To:Subject:In-Reply-To:References:From; b=J0u0kEsxkCqShxHWPXifEYi18x/2BhzKOnirNzFh96OoKUTcTddhFQ7v26W8R/Yk+ t1dCgNpK8LCVvoHHC8ViO8RquatMcavSFkiWtCbUCQ+CVAJS+C7TNFNsMDF8S7Mwyi SwsggqxrI5cy/ZAsbvoNmw1NOiBhGqRC6pFtcTVE=
Date: Sun, 14 Jun 2015 00:24:32 +0200
From: Stefan =?UTF-8?B?QsO8aGxlcg==?= <>
Message-ID: <20150614002432.58be28e7@chromobil.localdomain>
In-Reply-To: <>
References: <20150609221325.63935a29@chromobil.localdomain> <20150613232121.51f292af@chromobil.localdomain> <>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Acme] various issues with the spec
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 13 Jun 2015 22:24:40 -0000

On Sat, 13 Jun 2015 21:24:41 +0000
"Salz, Rich" <>; wrote:
> > As it doesn't look like there is anyone interested in them on this
> > mailing list I'll keep them to myself, or post them to github when
> > I find the time.
> No, please post here.

Ok, here we go:

* I don't see how a client would determine the /acme/revoke-cert URI,
  it isn't part of any Link header as far as I could see. Perhaps it
  should be part of the Link headers of the registration?

* Updates should use "PUT" instead of "POST", as they should be

* When updating a registration sending empty "contact"/"agreement"
  should actually reset them (if allowed) compared to not sending them,
  which just retrieves the currently set values.

  I.e. posting {"contact":[]} should delete all contact information.

* All responses to successful updates should contain the same "Link"
  headers as the creating request did.

* The "success" status code for updates should be documented. Right now
  boulder always returns "202 Accepted".

  For challenges the spec says `The server provides a 200 response
  including the updated challenge.`; boulder returns 202 anyway.

* simpleHttps: `The content type of the resource MUST be "text/plain"`
  versus `4. Verify that the Content-Type header of the response is
  either absent, or has the value "text/plain"`

  Is an absent Content-Type header ok or not?

* dvsni: Please don't require the domain name which is being validated
  to be part of subjectAltName; configuring such certificate might
  break a working setup in production, when it "wins" over an already
  present and valid certificate for the domain.

* dvsni: Don't require it to be a self-signed certificate - what does it
  matter who signed it?

* dvsni: `The public key is the public key for the key pair being
  authorized`. I hope this was just an accident, this would be *really*
  wrong to require.

I guess that the "dns" challenge type is probably not ready yet; but I
suggest adding a "nodns" challenge which should be required in all
combinations which don't include "dns": no any _acme-challenge TXT
must be present.

Maybe another type "nodnssec" could also be added, to require DNSSEC in
all combinations not including "dns" - so DNSSEC domains always have to
be authorized by "dns" challenge.

Also I'd like to suggest making "dns" more powerful; for example making
it possible to authorize accounts by public key and to authorize sub
domains. Example: TXT "inherit:1 key-sha256:47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU=" TXT "token:17817c66b60ce2e4012dfad92657527a"