Re: [Acme] Remove the hyphen from the acceptable character set for _acme-challenge TXT records.

2020-11-25 Thread Manger, James
An Acme CA may choose the dns-01 challenge token, but what goes in the DNS TXT record is base64url(SHA-256(f(token and account key))). So to avoid hyphens in that result the CA would need to: pick a random token; do the hash & base64url calculations; then repeat with a new random token if any hy

Re: [Acme] ACME subdomains

2020-09-02 Thread Manger, James
>> There’s a lot of mixing of example.org and >> example.com here, in ways I’m having trouble making >> sense of. I just wanted to confirm those were typos, since we have recently >> seen some confusion around this space. > I followed the patterns used in

Re: [Acme] Fwd: New Version Notification for draft-yusef-acme-3rd-party-device-attestation-01.txt

2019-01-24 Thread Manger, James
I’m confused about what is desired with draft-yusef-acme-3rd-party-device-attestation, but I think it may be quite different from what draft-ietf-acme-authority-token offers. Here’s my guess: draft-ietf-acme-authority-token is designed to issue certs for namespaces other than domain names, eg f

Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)

2018-08-29 Thread Manger, James
>> base64url = [A-Z] / [a-z] / [0-9] / "-" / "_" > base64url = (%x40-5A) / (%x61-7A) / (%x30-39) / "-" / "_" “A” is %x41 (not %x40) -- James Manger ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme

Re: [Acme] Implicit vs. explicit keys (was Re: Unparallelizing roll-over)

2016-08-21 Thread Manger, James
On Sun, Aug 21, 2016 at 8:32 PM, Jacob Hoffman-Andrews mailto:j...@eff.org>> wrote: On 08/21/2016 04:31 PM, Richard Barnes wrote: > How about this as a compromise proposal: Have the JWS header contain > *both* the account URL and the account public key. That way you get > fast rejection based on

Re: [Acme] Support for domains with redundant but not immediately synchronized servers

2015-12-06 Thread Manger, James
>> Ideally, it [Let's Encrypt] would use the IP of the >> requester (of course only after it has verified that the IP is in the >> DNS) or allow the requester to specify a preferred IP. This is quite a sensible feature request from Jonas. It supports multiple servers for a domain while encouragi

Re: [Acme] Signed JSON document / Json Content Metaheader / JSON Container

2015-01-28 Thread Manger, James
A signed JAR file meets some of these requirements. Metadata and signatures are in extra files in the ZIP archive: META-INF/MANIFEST.MF, META-INF/MYKEY.SF, META-INF/MYKEY.RSA. Content is the other files in the archive. It is not JSON of course, and the signature & certs are packaged in ASN.1, but