diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 83a57d8..34b98c6 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -5,3 +5,6 @@ RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \ && apt-get install -y --no-install-recommends xml2rfc ruby RUN gem install kramdown-rfc + +WORKDIR /home/vscode +USER vscode diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 8b3c9cc..7c28dae 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -6,6 +6,9 @@ "VARIANT": "ubuntu-22.04" } }, + "runArgs": [ + "--userns=keep-id" + ], "remoteUser": "vscode", "customizations": { "vscode": { diff --git a/.github/workflows/common.yml b/.github/workflows/common.yml index 4e94298..7e97971 100644 --- a/.github/workflows/common.yml +++ b/.github/workflows/common.yml @@ -22,7 +22,7 @@ jobs: - name: Generate 🔨 run: | - /usr/local/bin/kramdown-rfc2629 --v3 draft-ietf-acme-scoped-dns-challenges.mkd > docs/draft.xml + /usr/local/bin/kramdown-rfc2629 --v3 draft-ietf-acme-dns-account-challenge.mkd > docs/draft.xml cd docs xml2rfc --text --html --v3 draft.xml mv draft.html index.html diff --git a/.vscode/tasks.json b/.vscode/tasks.json index d0d0732..0f6ec60 100644 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -4,7 +4,7 @@ { "label": "Build", "type": "shell", - "command": "/usr/local/bin/kramdown-rfc2629 --v3 draft-ietf-acme-dns-account-01.mkd > docs/draft.xml && xml2rfc --text --html --v3 docs/draft.xml", + "command": "/usr/local/bin/kramdown-rfc2629 --v3 draft-ietf-acme-dns-account-challenge.mkd > docs/draft.xml && xml2rfc --text --html --v3 docs/draft.xml", "group": { "kind": "build", "isDefault": true diff --git a/draft-ietf-acme-dns-account-challenge.mkd b/draft-ietf-acme-dns-account-challenge.mkd new file mode 100644 index 0000000..765aebb --- /dev/null +++ b/draft-ietf-acme-dns-account-challenge.mkd @@ -0,0 +1,197 @@ +--- +title: "Automated Certificate Management Environment (ACME) DNS Labeled With ACME Account ID Challenge" +abbrev: "ACME-DNS-CHALLENGE" +category: std + +docname: draft-ietf-acme-dns-account-challenge-02 +v: 3 +area: Security +workgroup: Automated Certificate Management Environment +keyword: acme +ipr: full3978trust200902 +venue: + group: WG + type: Working Group + mail: acme@ietf.org + arch: https://datatracker.ietf.org/wg/acme/about/ + github: aaomidi/draft-ietf-acme-dns-account-challenge + latest: https://github.com/aaomidi/draft-ietf-acme-dns-account-challenge + +author: + - + fullname: Antonios A. Chariton + organization: Independent Contributor + email: daknob@daknob.net + - + fullname: Amir A. Omidi + organization: Spirl + email: amir@aaomidi.com + - + fullname: James Kasten + organization: Google + email: jdkasten@google.com + - + fullname: Fotis Loukos + organization: Google + email: fotisl@google.com + - + fullname: Stanislaw A. Janikowski + organization: Google + email: stanwise@google.com + +normative: + FIPS180-4: + title: "Secure Hash Standard (SHS)" + date: 2015-08 + target: https://csrc.nist.gov/publications/detail/fips/180/4/final + author: + org: National Institute of Standards and Technology + +informative: + I-D.draft-ietf-dnsop-domain-verification-techniques: + +--- abstract + +This document outlines a new DNS-based challenge type for the ACME protocol that enables multiple independent systems to authorize a single domain name concurrently. By adding a unique label to the DNS validation record name, the dns-account-01 challenge avoids CNAME delegation conflicts inherent to the dns-01 challenge type. This is particularly valuable for multi-region or multi-cloud deployments that wish to rely upon DNS-based domain control validation and need to independently obtain certificates for the same domain. + +--- middle + +# Introduction + +The `dns-01` challenge specified in section 8.4 of {{!RFC8555}} uses a single DNS authorization label (`_acme-challenge`) for domain validation. This single-label approach creates a limitation in domain validation: each domain can only delegate its validation to one ACME client at a time. Since delegation requires the use of CNAME records, of which only one can exist per DNS name, operators are forced to choose a single ACME challenge solver for their domain name. + +This limitation becomes particularly problematic in modern deployment architectures. In multi-region deployments, separate availability zones serve the same content while avoiding cross-zone dependencies. These zones need to independently obtain and manage certificates for the same domain name. Similarly, during zero-downtime migrations, two different infrastructure setups may coexist for extended periods, with both requiring access to valid certificates. Other use cases include multi-CDN deployments and the provision of backup certificates for use when an active certificate must be quickly revoked. + +This document specifies a new challenge type: `dns-account-01`, which addresses these operational needs. The `dns-account-01` challenge incorporates the ACME account URL into the DNS validation record name, allowing multiple independent ACME clients to perform domain validation concurrently. Since these authorization labels depend on the ACME account KID ({{!RFC8555, Section 7.3}}), operators can generate and configure the necessary DNS records in advance. + +This RFC does not deprecate the `dns-01` challenge specified in {{!RFC8555}}. The ability to complete the `dns-account-01` challenge requires ACME server operators to deploy new code, making adoption of this challenge an opt-in process. + + +# Conventions and Definitions + +{::boilerplate bcp14-tagged} + +# DNS-ACCOUNT-01 Challenge + +The `dns-account-01` challenge allows a client to prove control of a domain name by provisioning a TXT resource record containing a designated value for a specific validation domain name. It leverages the ACME account URL to construct a unique but stable validation domain name. The ACME server validates control of the domain name by performing one or more DNS queries to this validation domain name, following CNAME records, to arrive at one or more TXT resource record. The ACME server verifies that the contents of one or more of these TXT record(s) match the digest value of the key authorization that is constructed from the token value provided in the challenge. + + +## Challenge Definition +The challenge object contains the following fields: + +* type (required, string): The string "dns-account-01". +* token (required, string): A random value that uniquely identifies the challenge. This value MUST have at least 128 bits of entropy. It MUST NOT contain any characters outside the base64url alphabet, including padding characters ("="). See {{!RFC4086}} for additional information on additional requirements for secure randomness. + +Example challenge object: + +~~~ +{ + "type": "dns-account-01", + "url": "https://example.com/acme/chall/i00MGYwLWIx", + "status": "pending", + "token": "ODE4OWY4NTktYjhmYS00YmY1LTk5MDgtZTFjYTZmNjZlYTUx" +} +~~~ + +## Challenge Fulfillment + +To fulfill this challenge, a client performs the following steps: + +1. Construct Key Authorization + - Construct a key authorization {{!RFC8555, Section 8.1}} from the `token` value provided in the challenge and the client's account key + - Compute the SHA-256 digest {{FIPS180-4}} of the key authorization + +2. DNS Record Creation + - Construct the validation domain name by prepending the following two labels to the domain name being validated: + + "_" || base32(SHA-256()[0:10]) || "._acme-challenge" + + - SHA-256 is the SHA hashing operation defined in {{!RFC6234}} + - `[0:10]` is the operation that selects the first ten bytes (bytes 0 through 9 inclusive) from the previous SHA-256 operation + - base32 is the operation defined in {{!RFC4648}} + - ACCOUNT_URL is defined in {{!RFC8555, Section 7.3}} as the value in the `Location` header field + - The `||` operator indicates concatenation of strings + + - Provision a DNS `TXT` record with the base64url digest value under the constructed domain validation name + +3. Challenge Response + - Respond to the ACME server with an empty object ({}) to acknowledge that the challenge can be validated by the server + +Example DNS record for domain `example.org` with account URL `https://example.com/acme/acct/ExampleAccount`: + +~~~ +_ujmmovf2vn55tgye._acme-challenge.example.org 300 IN TXT "LoqXcYV8...jxAjEuX0.9jg46WB3...fm21mqTI" +~~~ + +Example response to server: + +~~~ +POST /acme/chall/Rg5dV14Gh1Q +Host: example.com +Content-Type: application/jose+json + +{ + "protected": base64url({ + "alg": "ES256", + "kid": "https://example.com/acme/acct/ExampleAccount", + "nonce": "SS2sSl1PtspvFZ08kNtzKd", + "url": "https://example.com/acme/chall/Rg5dV14Gh1Q" + }), + "payload": base64url({}), + "signature": "Q1bURgJoEslbD1c5...3pYdSMLio57mQNN4" +} +~~~ + +## Server Validation + +Upon receiving the challenge response, the server: + +1. Performs the typical JWS validation. +2. Constructs and stores the key authorization +3. Computes the SHA-256 digest {{FIPS180-4}} of the stored key authorization +4. Computes the validation domain name using the KID value from the JWS message +5. Queries for TXT records at the validation domain name +6. Verifies that one TXT record matches the computed digest value + +The validation succeeds only if all verifications pass. The server MUST mark the challenge as invalid if any verification fails. + +The client SHOULD de-provision the resource record(s) provisioned for this challenge once the challenge is complete, i.e., once the "status" field of the challenge has the value "valid" or "invalid". + +## Errors + +The server SHOULD follow the guidelines set in {{!RFC8555, Section 6.7}} for error conditions that occur during challenge validation. + +If the server is unable to find a `TXT` record for the validation domain name, it SHOULD include the account URL it used to construct the validation domain name in the problem document. Clients MUST NOT use or rely on the presence of this field to construct the validation domain name. + +## Implementation Considerations + +As this challenge creates strong dependency on the `kid` account identifier, the server SHOULD ensure that the account identifier is not changed during the lifetime of the account. This contains the entire URI, including the ACME endpoint domain name, port, and full HTTP path. + +# Security Considerations + +The same security considerations apply for the integrity of authorizations ({{!RFC8555, Section 10.2}}) and DNS security ({{!RFC8555, Section 11.2}}) as in the original specification for `dns-01`. + +To allow for seamless account key rollover without the label changing, the dynamic part of the label depends on the ACME account and not the account key. This allows for long-lived labels, without the security considerations of keeping the account key static. + +In terms of the construction of the account label prepended to the domain name, there is no need for a cryptographic hash. The goal is to simply create a long-lived and statistically distinct label of minimal size. SHA-256 was chosen due to its existing use in the `dns-01` challenge ({{!RFC8555, Section 8.1}}). + +The first 10 bytes were picked as a tradeoff: the value needs to be short enough to stay lower than the size limits for DNS ({{!RFC1035, Section 2.3.4}}), long enough to provide sufficient probability of collision avoidance across ACME accounts, and just the right size to have Base32 require no padding. As the algorithm is used for a uniform distribution of inputs, and not for integrity, we do not consider the trimming a security issue. + +# IANA Considerations + +## ACME Validation Method + +The "ACME Validation Methods" registry is to be updated to include the following entries: + +~~~ +label: dns-account-01 +identifier-type: dns +ACME: Y +Reference: This document +~~~ + + +--- back + +# Acknowledgments +{:numbered="false"} diff --git a/draft-ietf-acme-scoped-dns-challenges.mkd b/draft-ietf-acme-scoped-dns-challenges.mkd deleted file mode 100644 index 265af28..0000000 --- a/draft-ietf-acme-scoped-dns-challenges.mkd +++ /dev/null @@ -1,288 +0,0 @@ ---- -title: "Automated Certificate Management Environment (ACME) Scoped DNS Challenges" -abbrev: "ACME-SCOPED-DNS-CHALLENGES" -category: std - -docname: draft-ietf-acme-scoped-dns-challenges-01 -v: 3 -area: Security -workgroup: Automated Certificate Management Environment -keyword: acme -ipr: full3978trust200902 -venue: - group: WG - type: Working Group - mail: acme@ietf.org - arch: https://datatracker.ietf.org/wg/acme/about/ - github: aaomidi/draft-ietf-acme-scoped-dns-challenges - latest: https://aaomidi.github.io/draft-ietf-acme-scoped-dns-challenges - -author: - - - fullname: Antonios A. Chariton - organization: Independent Contributor - email: daknob@daknob.net - - - fullname: Amir A. Omidi - organization: Spirl - email: amir@aaomidi.com - - - fullname: James Kasten - organization: Google - email: jdkasten@google.com - - - fullname: Fotis Loukos - organization: Google - email: fotisl@google.com - - - fullname: Stanislaw A. Janikowski - organization: Google - email: stanwise@google.com - -normative: - FIPS180-4: - title: "Secure Hash Standard (SHS)" - date: 2015-08 - target: https://csrc.nist.gov/publications/detail/fips/180/4/final - author: - org: National Institute of Standards and Technology - -informative: - I-D.draft-ietf-dnsop-domain-verification-techniques: - ---- abstract - -This document outlines a new challenge for the ACME protocol, enabling an ACME client to answer a domain control validation challenge from an ACME server using a DNS resource linked to the ACME Account ID. This allows multiple systems or environments to handle challenge-solving for a single domain. - ---- middle - -# Introduction - -The `dns-01` challenge specified in section 8.4 of {{!RFC8555}} requires that ACME clients validate the domain under the `_acme-challenge` label for the `TXT` record. This label creates several limitations in domain validation. - -First, the `_acme-challenge` label does not specify if the authorization is intended for a specific host, a wildcard domain, or a domain and all of its subdomains. Consequently, domain owners who may be delegating or provisioning authorization labels for a domain must concede control over the domain and all subdomains, violating the principle of least privilege. - -Furthermore, since each domain only has a single authorization label, it creates an impediment limiting the number of other entities domain validation can be delegated to. Delegating authorization to an entity requires the use of CNAME records, which can only used once per DNS name (or in this case, once per authorization label). This limitation requires operators to pick a single ACME challenge solver for their domain name. - -In multi-region deployments, where separate availability zones serve the same content, and dependencies across them are avoided, operators need a way to obtain a separate certificate per zone, for the same domain name. Similarly, in cases of zero-downtime migration, two different setups of the infrastructure may coexist for a long period of time, and both need access to valid certificates. - -This document specifies two new challenge types. `dns-02` and `dns-account-01`, which aim to address these deficiencies. - -This work follows all recommendations set forth in "Domain Control Validation using DNS" [I-D.draft-ietf-dnsop-domain-verification-techniques]. - -This RFC does not intend to deprecate the `dns-01` challenge specified in {{!RFC8555}}. Since these new challenges do not modify any pre-existing challenges, the ability to complete the `dns-02` or `dns-account-01` challenge requires ACME server operators to deploy new changes to their codebase. This makes adopting and using these challenges an opt-in process. - -## DNS-02 - -The `dns-02` challenge adds onto `dns-01` by introducing a scoping mechanism to the domain authorization label. This allows for the client to specify if the intended domain validation is for a specific host, a wildcard domain, or a domain and all of its subdomains. - -## DNS-ACCOUNT-01 - -The `dns-account-01` challenge leverages the ACME account URL to present an account-unique stable challenge to an ACME server. This challenge allows any domain name to delegate its domain validation to more than one service through -unique per ACME account DNS records. - -With this new challenge, domain validation of the same DNS name can be done through different authorization labels. Since these authorization labels will depend on the ACME account KID ({{!RFC8555, Section 6.2}}), any number of them can be generated in advance. This allows all required `CNAME` records for domain validation delegation to be constructed statically. - -# Conventions and Definitions - -{::boilerplate bcp14-tagged} - -# DNS-02 Challenge - -When the identifier being validated is a domain name, the client can prove control of that domain by provisioning a `TXT` resource record containing a designated value for a specific validation domain name. - -* type (required, string): The string "dns-02". -* token (required, string): A random value that uniquely identifies the challenge. This value MUST have at least 128 bits of entropy. It MUST NOT contain any characters outside the base64url alphabet, including padding characters ("="). See {{!RFC4086}} for additional information on additional requirements for secure randomness. - -~~~ -{ - "type": "dns-02", - "url": "https://example.com/acme/chall/i00MGYwLWIx", - "status": "pending", - "token": "ODE4OWY4NTktYjhmYS00YmY1LTk5MDgtZTFjYTZmNjZlYTUx" -} -~~~ - -A client can fulfill this challenge by performing the following steps: - -- Construct a key authorization {{!RFC8555, Section 8.1}} from the `token` value provided in the challenge and the client's account key -- Compute the SHA-256 digest {{FIPS180-4}} of the key authorization -- Construct the validation domain name by specifying the scope for the domain name being validated: - - "_acme-" || || "-challenge" - - - SCOPE is - - "host" if the associated authorization applies only to the specific host name and no labels beneath it - - "wildcard" if the associated authorization is for a wildcard domain and contains the `wildcard` field set to true ({{?RFC8555, Section 7.1.4}}) - - "domain" if the authorization is for both the host and all subdomains by containing the `subdomainAuthAllowed` field set to true ({{?RFC9444, Section 4.1}}). - - The `"||"` operator indicates concatenation of strings - -- Provision a DNS `TXT` record with the base64url digest value under the constructed domain validation name - - For example, if the domain name being validated is the wildcard of `*.example.org` then the client would provision the following DNS record: - - ~~~ - _acme-wildcard-challenge.example.org 300 IN TXT "LoqXcYV8...jxAjEuX0.9jg46WB3...fm21mqTI" - ~~~ - - (In the above, "..." indicates that the token and the JWK thumbprint in the key authorization have been truncated to fit on the page.) - -- Respond to the ACME server with an empty object ({}) to acknowledge that the challenge can be validated by the server - - ~~~ - POST /acme/chall/Rg5dV14Gh1Q - Host: example.com - Content-Type: application/jose+json - - { - "protected": base64url({ - "alg": "ES256", - "kid": "https://example.com/acme/acct/evOfKhNU60wg", - "nonce": "SS2sSl1PtspvFZ08kNtzKd", - "url": "https://example.com/acme/chall/Rg5dV14Gh1Q" - }), - "payload": base64url({}), - "signature": "Q1bURgJoEslbD1c5...3pYdSMLio57mQNN4" - } - ~~~ - -On receiving a response, the server constructs and stores the key authorization from the challenge `token` value. - -To validate the `dns-02` challenge, the server performs the following steps: - -- Compute the SHA-256 digest {{FIPS180-4}} of the stored key authorization -- Compute the validation domain name with the scope of the associated authorization similar to the client -- Query for `TXT` records for the validation domain name -- Verify that the contents of one of the `TXT` records match the digest value - -If all the above verifications succeed, then the validation is successful. If no DNS record is found, or DNS record and response payload do not pass these checks, then the server MUST fail the validation and mark the challenge as invalid. - -The client SHOULD de-provision the resource record(s) provisioned for this challenge once the challenge is complete, i.e., once the "status" field of the challenge has the value "valid" or "invalid". - -## Errors - -The server SHOULD follow the guidelines set in {{!RFC8555, Section 6.7}} for error conditions that occur during challenge validation. - -# DNS-ACCOUNT-01 Challenge - -When the identifier being validated is a domain name, the client can prove control of that domain by provisioning a `TXT` resource record containing a designated value for a specific validation domain name. - -* type (required, string): The string "dns-account-01". -* token (required, string): A random value that uniquely identifies the challenge. This value MUST have at least 128 bits of entropy. It MUST NOT contain any characters outside the base64url alphabet, including padding characters ("="). See {{!RFC4086}} for additional information on additional requirements for secure randomness. - -~~~ -{ - "type": "dns-account-01", - "url": "https://example.com/acme/chall/i00MGYwLWIx", - "status": "pending", - "token": "ODE4OWY4NTktYjhmYS00YmY1LTk5MDgtZTFjYTZmNjZlYTUx" -} -~~~ - -A client can fulfill this challenge by performing the following steps: - -- Construct a key authorization {{!RFC8555, Section 8.1}} from the `token` value provided in the challenge and the client's account key -- Compute the SHA-256 digest {{FIPS180-4}} of the key authorization -- Construct the validation domain name by prepending the following two labels to the domain name being validated: - - "_" || base32(SHA-256()[0:10]) || "._acme-" || || "-challenge" - - - SHA-256 is the SHA hashing operation defined in {{!RFC6234}} - - `[0:10]` is the operation that selects the first ten bytes (bytes 0 through 9 inclusive) from the previous SHA-256 operation - - base32 is the operation defined in {{!RFC4648}} - - ACCOUNT_URL is defined in {{!RFC8555, Section 7.3}} as the value in the `Location` header field - - SCOPE is - - "host" if the associated authorization applies only to the specific host name and no labels beneath it - - "wildcard" if the associated authorization is for a wildcard domain and contains the `wildcard` field set to true ({{?RFC8555, Section 7.1.4}}) - - "domain" if the authorization is for both the host and all subdomains by containing the `subdomainAuthAllowed` field set to true ({{?RFC9444, Section 4.1}}). - - The `"||"` operator indicates concatenation of strings - -- Provision a DNS `TXT` record with the base64url digest value under the constructed domain validation name - - For example, if the domain name being validated is `*.example.org`, and the account URL of `https://example.com/acme/acct/ExampleAccount` then the client would provision the following DNS record: - - ~~~ - _ujmmovf2vn55tgye._acme-wildcard-challenge.example.org 300 IN TXT "LoqXcYV8...jxAjEuX0.9jg46WB3...fm21mqTI" - ~~~ - - (In the above, "..." indicates that the token and the JWK thumbprint in the key authorization have been truncated to fit on the page.) - -- Respond to the ACME server with an empty object ({}) to acknowledge that the challenge can be validated by the server - - ~~~ - POST /acme/chall/Rg5dV14Gh1Q - Host: example.com - Content-Type: application/jose+json - - { - "protected": base64url({ - "alg": "ES256", - "kid": "https://example.com/acme/acct/ExampleAccount", - "nonce": "SS2sSl1PtspvFZ08kNtzKd", - "url": "https://example.com/acme/chall/Rg5dV14Gh1Q" - }), - "payload": base64url({}), - "signature": "Q1bURgJoEslbD1c5...3pYdSMLio57mQNN4" - } - ~~~ - -On receiving this response, the server validates the message and constructs and stores the key authorization from the challenge `token` value and the current client account key. - -To validate the `dns-account-01` challenge, the server performs the following steps: - -- Compute the SHA-256 digest {{FIPS180-4}} of the stored key authorization -- Compute the validation domain name with the KID value in the JWS message -- Query for `TXT` records for the validation domain name -- Verify that the contents of one of the `TXT` records match the digest value - -If all the above verifications succeed, then the validation is successful. If no DNS record is found, or DNS record and response payload do not pass these checks, then the server MUST fail the validation and mark the challenge as invalid. - -The client SHOULD de-provision the resource record(s) provisioned for this challenge once the challenge is complete, i.e., once the "status" field of the challenge has the value "valid" or "invalid". - -## Errors - -The server SHOULD follow the guidelines set in {{!RFC8555, Section 6.7}} for error conditions that occur during challenge validation. - -If the server is unable to find a `TXT` record for the validation domain name, it SHOULD include the account URL it used to construct the validation domain name in the problem document. Clients MUST NOT use or rely on the presence of this field to construct the validation domain name. - -## Implementation Considerations - -As this challenge creates strong dependency on the `kid` account identifier, the server SHOULD ensure that the account identifier is not changed during the lifetime of the account. This contains the entire URI, including the ACME endpoint domain name, port, and full HTTP path. - -# Security Considerations - -These challenges follow the recommendations set out in "Domain Control Validation using DNS" {{I-D.draft-ietf-dnsop-domain-verification-techniques}} for supporting multiple intermediates within the context of {{!RFC8555}}. - -In both `dns-account-01` and `dns-02`, the same security considerations apply for the integrity of authorizations ({{!RFC8555, Section 10.2}}) and DNS security ({{!RFC8555, Section 11.2}}) as in the original specification for `dns-01`. They both differ from `dns-01` in that the challenges are scoped to the particular name being validated without relying upon CAA ({{!RFC8659}}). - -## DNS-ACCOUNT-01 - -To allow for seamless account key rollover without the label changing, the dynamic part of the label depends on the ACME account and not the account key. This allows for long-lived labels, without the security considerations of keeping the account key static. - -In terms of the construction of the account label prepended to the domain name, there is no need for a cryptographic hash. The goal is to simply create a long-lived and statistically distinct label of minimal size. SHA-256 was chosen due to its existing use in the `dns-01` challenge ({{!RFC8555, Section 8.1}}). - -The first 10 bytes were picked as a tradeoff: the value needs to be short enough to stay lower than the size limits for DNS ({{!RFC1035, Section 2.3.4}}), long enough to provide sufficient probability of collision avoidance across ACME accounts, and just the right size to have Base32 require no padding. As the algorithm is used for a uniform distribution of inputs, and not for integrity, we do not consider the trimming a security issue. - -# IANA Considerations - -## ACME Validation Method - -The "ACME Validation Methods" registry is to be updated to include the following entries: - -~~~ -label: dns-02 -identifier-type: dns -ACME: Y -Reference: This document - -label: dns-account-01 -identifier-type: dns -ACME: Y -Reference: This document -~~~ - - ---- back - -# Acknowledgments -{:numbered="false"}