Comments (5)
I'm one of the authors of that draft, I'll also commit to helping with this implementation if need be!
Thank you so much for this, @sheurich
from boulder.
We'd be happy to accept contributions implementing DNS-ACCOUNT-01!
A few notes:
- Please implement DNS-ACCOUNT-01 in pebble first, to help maintain parity between the two ACME implementations and to ensure that clients implementing DNS-ACCOUNT-01 have a testbed to test against.
- As always, please break large changes down into easily-reviewable sections, preferably as separate PRs, but failing that as well-structured commits within a single PR. I honestly don't have a good instinct for how large this change is going to be, so it may fit in a single PR just fine, but keep it in mind.
- Just as a heads-up: we do automatic round-robin assignment of reviewers to PRs. Your first assigned reviewer should respond to the PR in about one business day, and other reviewers should take a look shortly after that. If the change is broken into multiple PRs, they'll likely be assigned to different people for their first round of review.
from boulder.
The Boulder VA is already configured with a set of accountURIPrefixes. The IsCaaValid gRPC method combines those prefixes with an accountURIID to check that CAA "accountURI" parameters are correct.
The AuthzMeta protobuf already contains the account's regID, which can be used in exactly the same way. Combining that regID with the accountURIPrefixes should give the full account URI, which can then be fingerprinted per the IETF draft.
edit: gah sorry, I now see that you already proposed this configuration-based approach in your comment above. Yes, I think that is the correct path forward :)
from boulder.
Great, thanks! I created letsencrypt/pebble#425 for the Pebble work.
from boulder.
In contrast to the Pebble implementation, the Boulder work has the additional complication of component separation. The method used in Pebble's wfe.updateChallenge
:
// Reconstruct account URL for use in scoped validation methods
acctURL := wfe.relativeEndpoint(request, fmt.Sprintf("%s%s", acctPath, existingAcct.ID))
// Submit a validation job to the VA, this will be processed asynchronously
wfe.va.ValidateChallenge(ident, existingChal, existingAcct, acctURL, wildcard)
could be implemented in Boulder but this requires a change in the RA/VA gRPC definition for PerformValidationRequest
(e.g. an additional member of AuthzMeta
).
One alternative could be statically defining account URL prefixes in configuration cf. https://github.com/orangepizza/boulder/blob/703182fae06ccf8e876a9c6bdc71b5e4186d630d/va/dns.go#L132-L133.
The protobuf change would be small and additive, while the configuration approach is a more localized change. How does this comparison align with the overall strategy in Boulder development?
from boulder.
Related Issues (20)
- Remove wfe.UpdateRenewal
- Remove foopb.UnimplementedFooServer embeds from gRPC server implementations HOT 3
- Implement the self-service frontend
- Add a method to db.Executor instances passed inside of db.WithTransaction
- Build a basic validator for cmd.ConfigDuration
- admin: Replacement tracking for incidents HOT 1
- ratelimits: Exempt renewals from NewOrdersPerAccount and CertificatesPerDomain limits
- Do remote validation after primary validation
- ratelimits: Cleanup `CheckRenewalExemptionAtWFE` feature flag
- Remove legacy rate limits implementation
- Remove core.Challenge.ProvidedKeyAuthorization
- K/V rate limits: key construction and validation shouldn't happen before request validation
- observer: Add issuingDistributionPoint checking to CRL prober
- Don't log in expiry mailer when there's no email
- `signatures` method doesn't include CRLs
- Remove ECDSA allow-list and ECDSAForAll feature flag
- Implement paused-account RA handler
- Add issuer label to ocsp-responder metrics
- Design per-endpoint rate or inflight-request limits HOT 2
- borp: configuration to reject time arguments with nonzero nanoseconds
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from boulder.