What I have understand with the 30 day limit, is that the authorization granted must be granted for a maximum of 30 days. Eg, one token, regardless of if its random or static, may either be single-use or allow a maximum of 30 days where the system considers domain as "validated".
And a token must either be a random value, the hash of certificate CSR, or the hash of certificate SPKI. In the CAB forum guidelines version 1.4.5, I don't see something that require a timestamp, however, they recommend a timestamp in the hash. The idea is that you should be able to automate set up DNS-01 once, and then is set once for all. -----Ursprungligt meddelande----- Från: ilariliusva...@welho.com [mailto:ilariliusva...@welho.com] Skickat: den 13 november 2017 12:23 Till: Sebastian Nielsen <sebast...@sebbe.eu> Kopia: acme@ietf.org Ämne: Re: [Acme] One suggestion for ACME, and also one question about CAA On Mon, Nov 13, 2017 at 11:31:49AM +0100, Sebastian Nielsen wrote: > First, I want to make a suggestion, and that is possibility for a > permanent domain authorization. > > The CABF says that it is permitted to use SPKI hash or CSR hash as > authentication token, without any nonce. Such token would be valid for one use only unless timestamped. And even if timestamped, it would be limited to 30 days at most. > Since SPKI hash is static for the same public key, and the CSR hash is > static if you use the same CSR all the time, it would be permitted as > a pre-authorization. The token would still change, see above. > Thus avoiding a unnecessary restart of the name server each renew. Use DNS dynamic updates. There is 20 year old RFC(!) describing one way of doing that. And then there are many DNS-server specific ways. And automating DNS-01 requires such API anyway. If talking about HTTP-01, it does not require server restart/reload in anything I know of. And TLS-SNI-02 is insane without special server support (which presumably eliminates restarts/reloads too). -Ilari
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme