[cabf_validation] DV Ballot / IETF ACME alignment

J.C. Jones jjones at mozilla.com
Thu Feb 25 11:26:45 MST 2016


All,

Thank you for letting me join the WG at this late date, and thank you
for making the obvious effort you have in permitting use cases like
the proposed ACME protocol [1]. I believe that the proposed language
is already quite aligned with the techniques used in ACME. Let me run
through a few points:

The ACME  "Key Authorization" concept in general appears compliant
with the draft BR concept of a "Random Value". Last week I was
informed that was intentional; thank you! I'm reaching out to the ACME
WG mailing list later today to double-check my understanding.

The ACME DNS-01 challenge appears compliant with the draft BR
Paragraph 7.b, assuming that the ballot does not change to specify the
DNS record name. For reference, currently ACME uses the record
"_acme-challenge.<FQDN>".

The ACME HTTP-01 challenge is generally compliant with draft BR
Paragraph 6.b, except that ACME uses a path
"/.well-known/acme-challenge/<Random Value>". The ACME WG intends to
register that path with the IANA list of well-known URIs for the
purposes of domain validation [2]. I would like to propose that the
language for Paragraph 6.b permit either IANA-registered URIs, or
ACME's path explicitly. One example is attached, affecting only row H
(Paragraph 6).

The ACME TLS-SNI-01 challenge is not compliant at this time, and I
will work on some draft language for consideration before Friday of
next week.

Cheers!

 - J.C.

1) https://tools.ietf.org/html/draft-ietf-acme-acme
2) https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Domain Validation Draft (2-25-2016) JCJ.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 47422 bytes
Desc: not available
Url : https://cabforum.org/pipermail/validation/attachments/20160225/c75643f2/attachment-0001.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Domain Validation Draft (2-25-2016) JCJ.pdf
Type: application/pdf
Size: 294942 bytes
Desc: not available
Url : https://cabforum.org/pipermail/validation/attachments/20160225/c75643f2/attachment-0001.pdf 


More information about the Validation mailing list