[Acme] question for draft-ietf-acme-authority-token-07#section-4

Wed, 08 Dec 2021 10:39:00 -0800 

Hi,

Reading section 4 of authority-token-07 I had a few questions that came to
me.

If I understand it correctly, the type of the JWT is defined by a claim
'atc' as opposed to having a claim tkauth-type set to atc. Defining a
tkauth-type seems to me preferred as to enable the use of the claim 'atc'
in another context, but I am wondering if I am missing anything here.

token authority x5u seems to be defined in RFC7517 which should probably be
mentioned as well here. I am wondering the motivations to restrict the
usage to  x5u as well as how x5u and iss should be handled when different
values are provided for x5u and iss.

I have the impression the section describes multiple things:
1. a new type of challenge (token)
2. the format of a (generic) token that the ACME server may interpret
3. a specific token type ( atc )

Having not read [I-D.ietf-acme-authority-token-tnauthlist], it is a bit
difficult to understand what is generic to for the use of tokens and what
is specific to [I-D.ietf-acme-authority-token-tnauthlist]. Typically,
suppose I would like to use a token for other purposes than "TnAuthList", I
would like to understand how to take advantage of the framework and what
changes would be needed. Could you clarify this to me?

I expect the challenges to be proposed by the ACME server as follows:

  "challenges": [
       {
         "type": "http-01",
         "url": "https://example.com/acme/chall/prV_B7yEyA4";,
         "token": "DGyRejmCefe7v4NfDGDKfA"
       },
       {
         "type": "dns-01",
         "url": "https://example.com/acme/chall/Rg5dV14Gh1Q";,
         "token": "DGyRejmCefe7v4NfDGDKfA"
       }
     ]


I can see 'tkauth-01' as being a type, url, the url where the attested
token will be uploaded, but it is not entirely clear to me what the Token
challenge as expressed in 8555 section 8.3, or section 8.4 would be. I am
wondering if you could clarify this to me.

Just to make sure I understand it correctly, once the ACME client picks a
token challenge, it requests the Token Authority to generate a token and
then POST it to the url provided by the challenge object. Am I correct ? I
think a description of the exchange would ease the readability of the
document.

Yours,
Daniel


-- 
Daniel Migault
Ericsson

_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme

Reply via email to