For use of a token with http-01, it seems like the relevant section of the baseline requirements would be 3.2.2.4.6 AgreedāUpon Change to Website. Is that correct?
That section seems to explicitly state "where the Request Token or Random Value MUST NOT appear in the request". Including the token (which the document seems to refer to as the "Random Value") in the request path (as http-01 does) would seem to violate this normative language. Am I misunderstanding the content of that section? ________________________________ From: [email protected] <[email protected]> on behalf of Ilari Liusvaara <[email protected]> Sent: Friday, May 12, 2017 4:23 AM To: Zach Shepherd Cc: Jacob Hoffman-Andrews; [email protected] Subject: Re: [Acme] Bypassing the intended purpose of requiring 128 bits of entropy for the http-01 token On Thu, May 11, 2017 at 11:46:10PM +0000, Zach Shepherd wrote: > If this sort of "stateless" server is acceptable, why do we require > 128 bits of entropy for the token? CAB Forum Baseline Requirements. > * - If stateless http clients are acceptable, why not stateless DNS > clients? I think allowing administrators to set a single TXT record > containing the account key thumbprint and have it be re-used for > multiple challenges would make it much more feasible to use the DNS > challenge in environments where DNS management access is tightly > controlled. Again, CAB Forum Baseline Requirements. -Ilari
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
