[cabf_validation] DV Ballot / IETF ACME alignment
jjones at mozilla.com
Thu Feb 25 13:33:23 MST 2016
Yes. The random value as defined for the HTTP-01  and DNS-01 
challenges is a random value,
generated by the CA, with at least 128 bits of entropy, encoded as
If a client wants to fulfill the ACME HTTP-01 challenge, the server
might supply back a JSON response:
... which would require the client to provision a file at
containing the appropriate metadata for ACME.
On Thu, Feb 25, 2016 at 1:22 PM, Doug Beattie
<doug.beattie at globalsign.com> wrote:
> JC, is the random value for "Key Authorization" generated by the CA?
>> -----Original Message-----
>> From: validation-bounces at cabforum.org [mailto:validation-
>> bounces at cabforum.org] On Behalf Of J.C. Jones
>> Sent: Thursday, February 25, 2016 1:27 PM
>> To: Validation at cabforum.org
>> Subject: [cabf_validation] DV Ballot / IETF ACME alignment
>> Thank you for letting me join the WG at this late date, and thank you for
>> making the obvious effort you have in permitting use cases like the proposed
>> ACME protocol . I believe that the proposed language is already quite
>> aligned with the techniques used in ACME. Let me run through a few points:
>> The ACME "Key Authorization" concept in general appears compliant with
>> the draft BR concept of a "Random Value". Last week I was informed that
>> was intentional; thank you! I'm reaching out to the ACME WG mailing list
>> later today to double-check my understanding.
>> The ACME DNS-01 challenge appears compliant with the draft BR Paragraph
>> 7.b, assuming that the ballot does not change to specify the DNS record
>> name. For reference, currently ACME uses the record "_acme-
>> The ACME HTTP-01 challenge is generally compliant with draft BR Paragraph
>> 6.b, except that ACME uses a path "/.well-known/acme-challenge/<Random
>> Value>". The ACME WG intends to register that path with the IANA list of
>> well-known URIs for the purposes of domain validation . I would like to
>> propose that the language for Paragraph 6.b permit either IANA-registered
>> URIs, or ACME's path explicitly. One example is attached, affecting only row
>> H (Paragraph 6).
>> The ACME TLS-SNI-01 challenge is not compliant at this time, and I will work
>> on some draft language for consideration before Friday of next week.
>> - J.C.
>> 1) https://tools.ietf.org/html/draft-ietf-acme-acme
>> 2) https://www.iana.org/assignments/well-known-uris/well-known-
More information about the Validation