Comments (2)
+1 to the desire to have everything in the Authorization be public.
IIRC, Eckersley and Schoen were sanguine about recoveryTokens. But maybe
now that we have the recoveryContact method, we can get rid of
recoveryToken? I'll see if I can get them to chime in.
If we choose to keep the recoveryToken facility around, your scheme looks
pretty good to me. I would actually just use JWS again, but with alg=HS*.
Have the client's request include a JWS with a detached signature over the
request body. The processing would be something like:
Input: ACME authorization
- Serialize authz to JSON/UTF-8
- Compute "recoveryValue" == JWS("HS256", recoveryToken,
serializedAuthz).SerializeCompact().Detach() - Add a "recoveryValue" protected parameter to the outer JWS
- Compute the JWS wrapper for the overall signature.
These recoveryValues would not be very long, just (length of hash) +
(length of base64url-encoded protected header) + 2. For example:
eyJhbGciOiJIUzI1NiIsImtpZCI6IjIifQ..hSVV5XiBDjWiM2bvkvoNyaJYsNL65IcIEnUitDXdF1Y
On Mon, Dec 22, 2014 at 1:58 PM, Martin Thomson [email protected]
wrote:
I noted this when reviewing #48
#48. I think that this
needs a better design, since it would be good if the information hosted in
the authorization resource could be all completely public.If the design of the recovery keys is such that they could be used just
once (and I think that's probably fair), then you don't need to worry about
redacting anything.Clients create an authorization resource with a recovery key by adding a
"recoveryKey" challenge when they request that the resource be created.
This includes a hash value:hash = HMAC(recoveryKey, 'acme-recovery\0' || identity.type.length || identity.type || identity.value.length || identity.value)
(I'm not sure what sort of HMAC discriminator you might want to use
throughout, so details can vary.)If a client wants to use the recovery key, it provides the value of
recoveryKey.Now, to the separate question of why it might want to have this capability
at all...—
Reply to this email directly or view it on GitHub
#50.
from acme-spec.
I think this has been rendered moot by recent changes to the authz/registration objects.
from acme-spec.
Related Issues (20)
- 7.4 DNS Challenge *pre*pends label HOT 5
- 9.1 update outbound cxn methods HOT 1
- Differing description of {DVSNI, DNS} validation mechanism in 7.2, 9.2 HOT 1
- Add RECOMMENDED line to stronger DNS validation HOT 1
- Dns challenge signature is too long for dns TXT record HOT 6
- Specify type of "true" / "false" value for "tls" field. HOT 3
- .well-known ACME challenge files blocked 403 Forbidden in some Nginx configurations HOT 8
- method needed for forwarding *.acme.invalid to correct server HOT 3
- Register .well-known/acme-challenge with IANA HOT 2
- Describe 'validationRecord' (part of a challenge-resource) HOT 1
- Usage of RFC3339 - "5.3 Rarely Used Options" HOT 3
- Clarification on which spec to use HOT 2
- ASN1_mbstring_ncopy string too long with multiple alt-names HOT 3
- Domain validation and usage of userkey pair discussion HOT 1
- Travis integration may expose integration keys HOT 6
- http-01 and dns-01 challenges: just use account key HOT 1
- dns-01 walk-up HOT 1
- Letsencrypt behind a firewall with NAT HOT 4
- --agree-tos in ACME clients: acceptable or not? HOT 2
- Add alternate hostname for http challange HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme-spec.