On Thu, Jan 11, 2018 at 08:23:26PM +0100, Sophie Herold wrote: > Hi, > > challenge tokens "MUST have at least 128 bits of entropy", at the same > time it seems trivial to guess order and authorization URLs like the > ones used in the examples. It seems natural, that URLs MUST be generated > with the same amount of entropy. But I couldn't find that in the draft. > > > For account objects, GET request are not allowed: > > Servers SHOULD NOT respond to GET requests for account resources as > these requests are not authenticated. > > This suggests that all non-expiring URLs should be protected in this > way. At least for orders lists, this protection is missing. >
The token entropy requirement is to render those tokens unguessable before the validation request is received. This is to protect against careless servers. The token is not actually secret after it has been generated. Now, in some approved CA validation methods, the tokens actually are secret, but none of those is used in ACME. -Ilari _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
