for some ACME servers they have multiple allowed acme endpoint domains,
and server doesn't know what domain name client used to access its API
duce don't have full accounturl that used to craft challenge subdomain:
like boulder (what Let's encrypt uses) allows to accessed from mulitple
path ex:
"accountURIPrefixes": [
"http://boulder.service.consul:4000/acme/reg/",
"http://boulder.service.consul:4001/acme/acct/"
]
, and pebble and smallstep do not have host in config but allow any ip
or domain pointed to them and reflect them to create link to
account/order/ect
would only using userid part of accountURL (ExampleAccount) from
https://example.com/acme/acct/ExampleAccount have problem? while it's
trivial to extract from hash to accounturl as accountID was
autoincrementing counter, but was there are so few large acme provider
it was trivial to make rainbow table anyway.
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme