Re: [Acme] Mail regarding craft of hash for draft-ietf-acme-dns-account-challenge

Amir Omidi <amir@aaomidi.com> Fri, 02 February 2024 16:35 UTC

Return-Path: <amir@aaomidi.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB261C14E515 for <acme@ietfa.amsl.com>; Fri, 2 Feb 2024 08:35:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aaomidi.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SPmRbiZYvxTz for <acme@ietfa.amsl.com>; Fri, 2 Feb 2024 08:35:39 -0800 (PST)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D31C8C14F5EF for <acme@ietf.org>; Fri, 2 Feb 2024 08:35:39 -0800 (PST)
Received: by mail-ej1-x634.google.com with SMTP id a640c23a62f3a-a2f79e79f0cso319861866b.2 for <acme@ietf.org>; Fri, 02 Feb 2024 08:35:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aaomidi.com; s=google; t=1706891737; x=1707496537; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=242lPm24LdFFJJH+opWcPE8TKXUVLOjxBh52wwFN+Ss=; b=YIm159NVCl7dDyqr7v+Be+xqewzkwU1nycg7RoFkuMn5jnNtzLOV7MoTZmoT9N/d4/ 43Sa1vbGY5iGxIB/RSnuQc38iz0+mJ6uR8wx3QxfeaiqDFJGkY/P5OkxlZDukKxxvsqk ltObLMnEEyF/hbfKMy2UsMhhqMYq05w57mLLWpmrsXKuYDAwA4C3LuVVdAYOxf7QpVe0 c6S514QfiR3ur34jCcP6+NcnA5JWnj1k8Ni6k1nqr0SI3OnKbo820yDgLSlMRcr3Ol2d ukU9Clhv4pfUWZ+HPt7A9/XNzApnhmCbbR0c5paEvMF/2p9fUVGg/6lzQ4BzY1yqE4QB Vi2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706891737; x=1707496537; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=242lPm24LdFFJJH+opWcPE8TKXUVLOjxBh52wwFN+Ss=; b=hO0MjSmvnF/IDoL3yj51eM2Wu7nB72BXn9TCZdTScG4awQCzrOgCZyXu9aU0AOZccZ O1Mj+qnxYezpvW6GFAXtdmqVvRz9YVvRGrXiqcqwg5PK0kPVmBQH3+FevoiOWvtr2snI XHbVGWnbQfR09ekE97yuFYKM7OylayfvXZJo6Tu9eratzqWh5igzckP6B/izIyAlu28u Io/5f88qJurUFGR30qkQl9FHOl4+FOn/i8FQZ7IgwgtOSJ8vw+Szp/C9v9mbnaZIJEjB jScKZU5DwXkq4SurhhopzdRnZqcvMYDbV2ZFJpBFkcWuhF2FBdupOrmIhnvscXexmIJJ bKXg==
X-Gm-Message-State: AOJu0YzyBITxfXwXuB89sWB2kEN1YX2N1PQoogG8R4i4aMl93xYYkuTC rTE5IJ3yY9dAkfeogWO58bjz3TIjKtSW3pw1gt14RU9ClouvNytKFx4HmSfKNrdFsv9ZitQxhYo ez0o/JJFvv4OKgwzsBkngusUkvgkTJ4IOEl+wVxxCAEyLU7d7
X-Google-Smtp-Source: AGHT+IFBi9DijlNoI98iXlRX2ArvcZzcXneru9+ojXAfJIicH4CoPbj+qngZVhtlkAr4muJTZ7Qn4fb21++Bvnmzpec=
X-Received: by 2002:a17:906:33ca:b0:a35:aadc:a522 with SMTP id w10-20020a17090633ca00b00a35aadca522mr5832616eja.57.1706891737178; Fri, 02 Feb 2024 08:35:37 -0800 (PST)
MIME-Version: 1.0
References: <31b872f6-2ced-41b3-b22c-58ae89058570@gmail.com>
In-Reply-To: <31b872f6-2ced-41b3-b22c-58ae89058570@gmail.com>
From: Amir Omidi <amir@aaomidi.com>
Date: Fri, 02 Feb 2024 11:35:25 -0500
Message-ID: <CAOG=JULrdnk4wYBKB-pfY4kXK=fF=ODi6PZ3wEj=zn7B4=nZXQ@mail.gmail.com>
To: Seo Suchan <tjtncks@gmail.com>
Cc: acme@ietf.org
Content-Type: multipart/alternative; boundary="000000000000aa372e061068b39b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/y-MYGaZmw9166qH_9bOMJQ5wETw>
Subject: Re: [Acme] Mail regarding craft of hash for draft-ietf-acme-dns-account-challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2024 16:35:44 -0000

>From my understanding, under ACME we treat that entire accountURL as the
userID. So I think that URL will need to be stable.

On Fri, Feb 2, 2024 at 2:36 AM Seo Suchan <tjtncks@gmail.com> wrote:

> for some ACME servers they have multiple allowed acme endpoint domains,
> and server doesn't know what domain name client used to access its API
> duce don't have full accounturl that used to craft challenge subdomain:
>
> like boulder (what Let's encrypt uses) allows to accessed from mulitple
> path ex:
>
> "accountURIPrefixes": [
> "http://boulder.service.consul:4000/acme/reg/",
> "http://boulder.service.consul:4001/acme/acct/"
>          ]
>
>   , and pebble and smallstep do not have host in config but allow any ip
> or domain pointed to them and reflect them to create link to
> account/order/ect
>
> would only using userid part of accountURL (ExampleAccount) from
> https://example.com/acme/acct/ExampleAccount have problem? while it's
> trivial to extract from hash to accounturl as accountID was
> autoincrementing counter, but was there are so few large acme provider
> it was trivial to make rainbow table anyway.
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>