Re: [Acme] Add an external secret field to registration

2016-09-23 Thread Jacob Hoffman-Andrews
On 08/21/2016 06:54 PM, Andy Ligg wrote: > Sorry, the document still not update in “Registration Objects”, still > same as Contact. The pull request is definitely updated. Can you re-check https://github.com/ietf-wg-acme/acme/pull/172/files? More to the point, does the proposed change fit your ne

Re: [Acme] Add an external secret field to registration

2016-08-22 Thread Daniel McCarney
t; > > Best Regards, > > > > Andy > > > > *From:* Daniel McCarney [mailto:c...@letsencrypt.org] > *Sent:* Friday, August 19, 2016 11:30 PM > *To:* Andy Ligg > *Cc:* Jacob Hoffman-Andrews ; acme@ietf.org > *Subject:* Re: [Acme] Add an external secret field to regist

Re: [Acme] Add an external secret field to registration

2016-08-21 Thread Andy Ligg
McCarney [mailto:c...@letsencrypt.org] Sent: Friday, August 19, 2016 11:30 PM To: Andy Ligg Cc: Jacob Hoffman-Andrews ; acme@ietf.org Subject: Re: [Acme] Add an external secret field to registration > We checked the draft that the external_secret (optional, string) description > is same as C

Re: [Acme] Add an external secret field to registration

2016-08-19 Thread Daniel McCarney
> We checked the draft that the external_secret (optional, string) description is same as Contact. This was fixed: https://github.com/ietf-wg-acme/acme/pull/172# discussion_r75344194 On Fri, Aug 19, 2016 at 7:26 AM, Andy Ligg wrote: > We checked the draft that the external_secret (optional, s

Re: [Acme] Add an external secret field to registration

2016-08-19 Thread Daniel McCarney
> We checked the draft that the external_secret (optional, string) description is same as Contact. This was fixed: https://github.com/ietf-wg-acme/acme/pull/172#discussion_r75344194 On Fri, Aug 19, 2016 at 7:26 AM, Andy Ligg wrote: > We checked the draft that the external_secret (optional, st

Re: [Acme] Add an external secret field to registration

2016-08-19 Thread Andy Ligg
No, not this case. User must post the token with the right email and certificate to server. What I mean is StartCom system will send the token to customer's email account, but if this email account info is stolen by hacker, then it can be used to access this token's subscriber's account. My sugge

Re: [Acme] Add an external secret field to registration

2016-08-19 Thread Karthikeyan Bhargavan
Could you clarify the security goal of the external secret? Is it meant to be the *only* authentication client an ACME client needs to present in order to take over some user’s existing StartCom acount? In that case, this is subject to the same security considerations as account recovery, and pot

Re: [Acme] Add an external secret field to registration

2016-08-19 Thread Andy Ligg
We checked the draft that the external_secret (optional, string) description is same as Contact. Another issue we think is how to guarantee this token's security, we plan to limit this token that it will expire at the short time. Please advise, thanks. Regards, Andy > On 18 Aug 2016, at 08:5

[Acme] Add an external secret field to registration

2016-08-17 Thread Jacob Hoffman-Andrews
Here's one version of what it might look like to add the token Andy proposed: https://github.com/ietf-wg-acme/acme/pull/172 Let me know what you think! ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme