The latest dns-account-01 draft ( https://datatracker.ietf.org/doc/html/draft-ietf-acme-scoped-dns-challenges-00) incorporates recommendations from the dnsop domain control verification draft ( https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-domain-verification-techniques-03 ).
The dnsop draft says: > Providers MUST provide clear instructions on when a validation record can be removed. These instructions SHOULD be encoded in the RDATA via comma-separated ASCII key-value pairs [RFC1464], using the key "expiry" to hold a time after which it is safe to remove the validation record. But the ACME draft doesn't specify that. I think it should! The specified expiry should be the expiry of the pending authorization object. After that point, the challenge will never be validated and the record can be removed. This brings up a separate question: Should subscribers be able to specify what maximum lifetime they want for the validated authorization? For instance some subscribers might want to never reuse authorizations. Currently they can achieve that by deactivating authorizations after issuance, but it could be more convenient to do it preemptively. One option would be to encode it in the TXT record. But if we specify such a thing I think we'd want it to work for any challenge type, probably by making it part of the challenge POST. So, out of scope for this draft, I think.
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
