Comments (4)
This is a very good point. I think the simplest thing to do here may be to just use the JOSE signature scheme, with the nonce as a protected header parameter. With that, the input the signature algorithm for a given nonce and payload would be:
base64("{\"nonce\":base64(nonce)}) || . || base64(payload)
This is especially appealing now that JWS has a simpler syntax for JSON-formatted objects. With that, a JWS would be nearly as simple as what's there today.
https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-36#section-7.2.2
Could you please file the "different key pair" issue as a separate issue?
from acme-spec.
JOSE protected header seems like overkill. Restricting nonces to 16 bytes doesn't sound particularly future-proof. What about prepending the nonce length?
from acme-spec.
Switching to JWS does solves this problem and would not require fixing the nonce length. An alternative to including the nonce in the JWS Protected Header is to make the signature payload a (stringified) JSON object that includes the "nonce" key+value as well as the other values being signed over. This would avoid other attacks of the kind described by @agl. If the signature is valid, it is a simple matter for the server to decode the payload and check that the nonce and other inputs match expected values.
Heck, you could even sign the whole response object if you wanted (minus those bits that are part of the signature construction).
It is a sensible move anyway - why devise a new signature scheme instead of using an existing one? I don't buy the argument that it is overkill.
from acme-spec.
The use of JWS is sufficient to address this problem.
from acme-spec.
Related Issues (20)
- 7.4 DNS Challenge *pre*pends label HOT 5
- 9.1 update outbound cxn methods HOT 1
- Differing description of {DVSNI, DNS} validation mechanism in 7.2, 9.2 HOT 1
- Add RECOMMENDED line to stronger DNS validation HOT 1
- Dns challenge signature is too long for dns TXT record HOT 6
- Specify type of "true" / "false" value for "tls" field. HOT 3
- .well-known ACME challenge files blocked 403 Forbidden in some Nginx configurations HOT 8
- method needed for forwarding *.acme.invalid to correct server HOT 3
- Register .well-known/acme-challenge with IANA HOT 2
- Describe 'validationRecord' (part of a challenge-resource) HOT 1
- Usage of RFC3339 - "5.3 Rarely Used Options" HOT 3
- Clarification on which spec to use HOT 2
- ASN1_mbstring_ncopy string too long with multiple alt-names HOT 3
- Domain validation and usage of userkey pair discussion HOT 1
- Travis integration may expose integration keys HOT 6
- http-01 and dns-01 challenges: just use account key HOT 1
- dns-01 walk-up HOT 1
- Letsencrypt behind a firewall with NAT HOT 4
- --agree-tos in ACME clients: acceptable or not? HOT 2
- Add alternate hostname for http challange HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme-spec.