[cabf_validation] DV Ballot / IETF ACME alignment

Doug Beattie doug.beattie at globalsign.com
Thu Feb 25 13:22:53 MST 2016


JC, is the random value for "Key Authorization" generated by the CA?


> -----Original Message-----
> From: validation-bounces at cabforum.org [mailto:validation-
> bounces at cabforum.org] On Behalf Of J.C. Jones
> Sent: Thursday, February 25, 2016 1:27 PM
> To: Validation at cabforum.org
> Subject: [cabf_validation] DV Ballot / IETF ACME alignment
> 
> All,
> 
> Thank you for letting me join the WG at this late date, and thank you for
> making the obvious effort you have in permitting use cases like the proposed
> ACME protocol [1]. I believe that the proposed language is already quite
> aligned with the techniques used in ACME. Let me run through a few points:
> 
> The ACME  "Key Authorization" concept in general appears compliant with
> the draft BR concept of a "Random Value". Last week I was informed that
> was intentional; thank you! I'm reaching out to the ACME WG mailing list
> later today to double-check my understanding.
> 
> The ACME DNS-01 challenge appears compliant with the draft BR Paragraph
> 7.b, assuming that the ballot does not change to specify the DNS record
> name. For reference, currently ACME uses the record "_acme-
> challenge.<FQDN>".
> 
> The ACME HTTP-01 challenge is generally compliant with draft BR Paragraph
> 6.b, except that ACME uses a path "/.well-known/acme-challenge/<Random
> Value>". The ACME WG intends to register that path with the IANA list of
> well-known URIs for the purposes of domain validation [2]. I would like to
> propose that the language for Paragraph 6.b permit either IANA-registered
> URIs, or ACME's path explicitly. One example is attached, affecting only row
> H (Paragraph 6).
> 
> The ACME TLS-SNI-01 challenge is not compliant at this time, and I will work
> on some draft language for consideration before Friday of next week.
> 
> Cheers!
> 
>  - J.C.
> 
> 1) https://tools.ietf.org/html/draft-ietf-acme-acme
> 2) https://www.iana.org/assignments/well-known-uris/well-known-
> uris.xhtml


More information about the Validation mailing list