IETF Logo Mail Archive

[Acme] RFC 8823 email-reply-00: How to concatenate the tokens?

Brian Sipos <BSipos@rkf-eng.com> Mon, 07 June 2021 02:39 UTC

Return-Path: <BSipos@rkf-eng.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 228503A324B for <acme@ietfa.amsl.com>; Sun, 6 Jun 2021 19:39:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rkf-eng.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ajMQ2fzYIxAm for <acme@ietfa.amsl.com>; Sun, 6 Jun 2021 19:39:41 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2051.outbound.protection.outlook.com [40.107.220.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBB363A3248 for <acme@ietf.org>; Sun, 6 Jun 2021 19:39:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=leeO+zsPKzJ+UTjiTW7dM7xP1iCInMFvtJ3zx5lBGxuxe4LGFfeLhauPjnhQUGBY/quTA0j565kE9HcwommB9IXzxIFgAqD3ZrhT2RnJ6CfNSmEz35tpFaPRLrWamqfQ/m8soX2+cR+n4QvQZJwwYW9uu3g66/lvDR4WsIKvpX5B452HXnwH6cl5yfKSlSavhykxx+s+Fzwu1NanmmB1craTmkZce4O+AFTNBk9VMpdBQ1hip+ByT1qhOEKokZksQJBzHvBuX4SZ5dQBQ+rwta0+bd+EP9zCUt7EuTmKEcAl/Lz3l+YpSOjjCLe5gVCSq3vxKFk5eiUWoIm7woTFNA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=A/LW5w/9z/ztQ4sY9JhY9K8GXDzyEYvLl0Qfig0C/ZU=; b=aVAS67jSkq3FSXRpE/GS2LVnXYO5wUB/MKhoI0fO/BDWbX9MVHrcb7a3tLZxLrY8r/eb+r/Owk1PL09bYKvI/vFBp4PBOMNdSG4Ehosw95IauK5PUPhiBpAr1lJlf6RHo/PPEQXolvMfM8Bx/8QbOBJuGVdvgdZgSK5p2SYZnFVzPdK0e5MmPfEO2Ogh2lqWcsMTxmY9pY1I8zgBiWDJhyeaCDecSHVKb/3szduuALJdYbXc7TFecFcGYwqbZPPHJ/ukY+XObBW2rFF1ecvMZ7LVwwNMzi/7P2F/Sf4/vEjWVoA1co75RKf2gSZzHjicRIx37vpXEYxsQtkjGthN8A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=rkf-eng.com; dmarc=pass action=none header.from=rkf-eng.com; dkim=pass header.d=rkf-eng.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rkf-eng.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=A/LW5w/9z/ztQ4sY9JhY9K8GXDzyEYvLl0Qfig0C/ZU=; b=WVtAAGfNMZmODjA80Y77xyhmzrp2OFiG8XBAafsqRs5pOPyzOiYs1qLx3s3ZUUe38R+OvN7BrlExKTnfKH+qeZnXf5NtYvLykibKG2kP93sNau6SJJKt7IRMXiXl+UegSrVBHnJ01J5rZpsQXyeCNl+kVqZaO+71xQPhBfxW+uA=
Received: from MN2PR13MB3567.namprd13.prod.outlook.com (2603:10b6:208:168::10) by MN2PR13MB3343.namprd13.prod.outlook.com (2603:10b6:208:161::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.16; Mon, 7 Jun 2021 02:39:38 +0000
Received: from MN2PR13MB3567.namprd13.prod.outlook.com ([fe80::4079:9d97:ece0:c82]) by MN2PR13MB3567.namprd13.prod.outlook.com ([fe80::4079:9d97:ece0:c82%5]) with mapi id 15.20.4219.019; Mon, 7 Jun 2021 02:39:38 +0000
From: Brian Sipos <BSipos@rkf-eng.com>
To: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] RFC 8823 email-reply-00: How to concatenate the tokens?
Thread-Index: AQHXW0OLW7N1LoCq70mjT9Q5YWLsgg==
Date: Mon, 07 Jun 2021 02:39:38 +0000
Message-ID: <MN2PR13MB3567BA0D2CE6CD4420DB2FAC9F389@MN2PR13MB3567.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=rkf-eng.com;
x-originating-ip: [96.241.16.84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 412b8292-ca29-4bf7-e919-08d9295d7ea8
x-ms-traffictypediagnostic: MN2PR13MB3343:
x-microsoft-antispam-prvs: <MN2PR13MB3343A593207463A7F87C6C309F389@MN2PR13MB3343.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 05V5V1+1Fq7nHVcBw2S5bj/2WBz8MZeiIUSIvPfXvNjfdPxNYQC5geXvYCthO985X7z+llf6MjGy6hMcGLNquR4edcv7Q2vNnVxPhUrYBlLBd6xhGRS+qf90rq8FHKrCq87S3pHSgC1vvIbTQneTlMlbS1UIiNGVst4O51VogS/f1mMmE6+OuJ+X1hjX3xqYBTsbdZTEbni0Tx/13FcOdkGKChlNFCpt6/XCh2QNFWFa9TQ3+l0mam3Xh1qgLDUQsr/ki42iTvZtB1pA5vqyn3xzxukRVdDowyC1ogrCEol0gSr5RjAtugruXFz3vpJgTdRLVLDfEe4Wg17DQtv32ueXNXQUQBXZ9u3llQ/0VtdpGT29Jafxcmx0SiHiA4bmGfbYTL6aVin+p+/06qWxdU18mzYvrZymjOwgm395pUD1Jo4RdOeKRth6JUROs3L3tb6MC6h9Wxj/duKZr7ZVQAskLmGtbz0OUk/18tVoAC03suRN3zV6wT2sragD5iDJuBiNX9SGwT3M0KbT55CGBGnKgAh2dCBZ/UulTB1cjTFcv9k/xTdtP6Fl/q0oLmgQ3Ba3wpgt9gSwLZuajycPfBZOQxtAVm360eRHJNmVKhs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR13MB3567.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(39830400003)(366004)(346002)(136003)(38100700002)(8936002)(19627405001)(6916009)(316002)(33656002)(478600001)(6506007)(8676002)(71200400001)(186003)(86362001)(26005)(66556008)(76116006)(66946007)(66446008)(2906002)(7696005)(5660300002)(55016002)(9686003)(64756008)(66476007)(52536014)(122000001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: ebXamoBghAshl+XOsNbBiXMEpKGKH8bXMe/3beXW/VCks/xsxRpqox3i2hpIwWCOMXmIr5BoMKBLO4VwplXCoe3iC8eOflirQ0nDKZ0cwgwNakxcmhICKg/9lS1oOWG05xTqSoogJzUNO6uaC8qLXX1AZwlT/jriKFRTFiibxz0SskXtgY6qcQUcx1d1a6PRgnrtK6g7Xxf+BfLErbmIZVndmOwPaLFCx2yG/JTZg/8ilzM2LJ4oYyQuhnqQAjj3fghcHddhlDTFka53MDUSSTZv6MO9/5GluNo9V3tlf1cdASQkbSzpJrHKUD2PtJx7WhYuPEo8DjywvGbdyAPnNdJMiAQruUmMswbeuao1vR0P5PrZAfyW1dsXi1AN8hl1L+juhTSS7p0fGGLC1LbkgK3laWyGNP3lqh1yGP/TlNEaggZLjOpdTnkOOxEvsscN0FjE0vnbP++SmO6RLWXxyYvaye3w/Ng4U42s6zNFd3ydl8iWgeIiqrtmQ1HVEPo9jFzpNispvpgr4pfN4q1adN4ZKKBz+NZALFE4B+s9YrexNld+fWZa7dHjueO4+JKeoMS45B3rtg1a2RDcdvmD47rRbPMRC1updisQ87AXRC3p8ky5mO3lCltvSiTAwHiANyEdvoXWMXi4TmrGQJeGn+bmr1ezdWbZk4X3Zw7W9twthdYiVcLqnmrYF32kdVqixgYkDGlHSVN5DYxySHT5ChKpn5L2FNyeHBMFP6MhOVrMxrsWgvlKzsdBTYdc7Pn6nqAzUHAUN3jO5XtOca8sc97AuyoIiLmzxQnZpEEtk2v6zPvHGHMMhryB07akJNhrQ5tHrhRi0oZjMwsAuXeWfkFlaWmgmx3gHj0c6ozwTNPSof5Qee5LyOAJQ6JtQwyjSZbM4/WaPkzld7geyqp1fZdbw38VBN/ksXRseSBncuqxCdmcusj0PWDgXAMhWDDJGvOjyCiukM9Pfn29e1c83ZNbRYOOw+DhrQIwUAHUtnsSNVbOSV/2uuTfwUyHOMD+xLzLA0MwHUoaa7gmuf42pEPtb4umeosS3M3QWVOpMcemkZIorUiWNCfIu/b5GpY5TOH13HilEMRD5gSpXQvshHoKafVrNpWToODJPNi7oktJqQ+jHlOHfAhm0+auDvZ7T3+gwgJ5KxCmOnjk+jYYOkPcw37JLELL00+pegLnxg4zH/Hhh4xrE2oj2lGnCA/DWH93NI2nder2G8vbdJRIGdhXhttOqh13Lpm1lNDAUk2JA7+eQUqvrm3uojihXf92sp2zNNMC5AyQMeKuvkafh3qAPebAQRY+svD/utfV0I4=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR13MB3567BA0D2CE6CD4420DB2FAC9F389MN2PR13MB3567namp_"
MIME-Version: 1.0
X-OriginatorOrg: rkf-eng.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR13MB3567.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 412b8292-ca29-4bf7-e919-08d9295d7ea8
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jun 2021 02:39:38.1523 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4ed8b15b-911f-42bc-8524-d89148858535
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JO1LWi3CFtuP+cxRgI9qbR3QZpt0MUokP6zcxZOY70hVDL8KxUol5s5hUApBOYw+F7ssj0+DfyFemiiVnrceBQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR13MB3343
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/suw60485gKpcP9Cx5tl9gE1SQQI>
Subject: [Acme] RFC 8823 email-reply-00: How to concatenate the tokens?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2021 02:39:48 -0000

Richard,
>From my interpretation, the fact that the two token parts are base64url strings is immaterial to the text-string concatenation into the ACME "token" value. The Key Authorization calculation of RFC 8555 also does not care where the token text came from or whether it is a base64url encoded text string.

Also be careful about your assumptions about the tokens themselves. While RFC 8555 makes requirements about base64url encoded token values, RFC 8823 does not make any requirements about the content of the "token-part2" text value. The fact that the example looks like base64url encoding implies that, but I don't see any requirement on the token-part2 generation other than its minimum entropy. An RFC 8823 implementation could just as well use random ASCII, Latin-1, base16, or any other text; base64 just happens to produce more entropy-dense text.

>From my reading, the RFC 8823 requirement text is sufficient to explain this but having an example of the pre-digest Key Authorization value would be helpful to clarify this. The example currently includes only the Key Authorization digest but not the intermediate concatenated value.

v2.43.4 | Report a Bug | By Email | System Status