From cda55e4cbccbf4832a39dfe6eed708e19d0bea79 Mon Sep 17 00:00:00 2001 From: Amir Omidi Date: Wed, 14 Feb 2024 19:10:13 +0000 Subject: [PATCH 1/2] Specify that the server uses the KID from JWS --- draft-ietf-acme-scoped-dns-challenges.mkd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-acme-scoped-dns-challenges.mkd b/draft-ietf-acme-scoped-dns-challenges.mkd index 05ea263..83ec475 100644 --- a/draft-ietf-acme-scoped-dns-challenges.mkd +++ b/draft-ietf-acme-scoped-dns-challenges.mkd @@ -226,12 +226,12 @@ A client can fulfill this challenge by performing the following steps: } ~~~ -On receiving a response, the server constructs and stores the key authorization from the challenge `token` value and the current client account key. +On receiving this response, the server validates the JWS and constructs and stores the key authorization from the challenge `token` value and the current client account key. To validate the `dns-account-01` challenge, the server performs the following steps: - Compute the SHA-256 digest {{FIPS180-4}} of the stored key authorization -- Compute the validation domain name with the account URL of the ACME account requesting validation and the associated authorization, similar to the client logic +- Compute the validation domain name with the KID value in the JWS message - Query for `TXT` records for the validation domain name - Verify that the contents of one of the `TXT` records match the digest value From b6acb8698ba477b40b71296e24fd48e5036a3fa2 Mon Sep 17 00:00:00 2001 From: Amir Omidi Date: Thu, 15 Feb 2024 21:47:22 -0500 Subject: [PATCH 2/2] Update draft-ietf-acme-scoped-dns-challenges.mkd Co-authored-by: James Kasten --- draft-ietf-acme-scoped-dns-challenges.mkd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-acme-scoped-dns-challenges.mkd b/draft-ietf-acme-scoped-dns-challenges.mkd index 83ec475..2c6574f 100644 --- a/draft-ietf-acme-scoped-dns-challenges.mkd +++ b/draft-ietf-acme-scoped-dns-challenges.mkd @@ -226,7 +226,7 @@ A client can fulfill this challenge by performing the following steps: } ~~~ -On receiving this response, the server validates the JWS and constructs and stores the key authorization from the challenge `token` value and the current client account key. +On receiving this response, the server validates the message and constructs and stores the key authorization from the challenge `token` value and the current client account key. To validate the `dns-account-01` challenge, the server performs the following steps: