forked from letsencrypt/acme-spec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
draft-barnes-acme.txt
2016 lines (1308 loc) · 71.1 KB
/
draft-barnes-acme.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Network Working Group R. Barnes
Internet-Draft E. Rescorla
Intended status: Standards Track Mozilla
Expires: March 5, 2015 P. Eckersley
S. Schoen
EFF
A. Halderman
J. Kasten
University of Michigan
September 01, 2014
Automatic Certificate Management Environment (ACME)
draft-barnes-acme-00
Abstract
Certificates in the Web's X.509 PKI (PKIX) are used for a number of
purposes, the most significant of which is the authentication of
domain names. Thus, certificate authorities in the Web PKI are
trusted to verify that an applicant for a certificate legitimately
represents the domain name(s) in the certificate. Today, this
verification is done through a collection of ad-hoc mechanisms. This
document describes a protocol that a certificate authority (CA) and a
applicant can use to automate the process of verification and
certificate issuance. The protocol also provides facilities for
other certificate management functions, such as certificate
revocation.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 5, 2015.
Barnes, et al. Expires March 5, 2015 [Page 1]
Internet-Draft ACME September 2014
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Deployment Model and Operator Experience . . . . . . . . . . 4
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 6
5. Certificate Management . . . . . . . . . . . . . . . . . . . 8
5.1. General Request/Response Lifecycle . . . . . . . . . . . 9
5.2. Signatures . . . . . . . . . . . . . . . . . . . . . . . 12
5.3. Key Authorization . . . . . . . . . . . . . . . . . . . . 13
5.3.1. Recovery Tokens . . . . . . . . . . . . . . . . . . . 18
5.4. Certificate Issuance . . . . . . . . . . . . . . . . . . 19
5.5. Certificate Revocation . . . . . . . . . . . . . . . . . 21
6. Identifier Validation Challenges . . . . . . . . . . . . . . 22
6.1. Simple HTTPS . . . . . . . . . . . . . . . . . . . . . . 24
6.2. Domain Validation with Server Name Indication . . . . . . 25
6.3. Recovery Contact . . . . . . . . . . . . . . . . . . . . 27
6.4. Recovery Token . . . . . . . . . . . . . . . . . . . . . 29
6.5. Proof of Possession of a Prior Key . . . . . . . . . . . 29
6.6. DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
6.7. Other possibilities . . . . . . . . . . . . . . . . . . . 33
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34
8. Security Considerations . . . . . . . . . . . . . . . . . . . 34
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 34
9.1. Normative References . . . . . . . . . . . . . . . . . . 34
9.2. Informative References . . . . . . . . . . . . . . . . . 35
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 35
1. Introduction
Certificates in the Web PKI are most commonly used to authenticate
domain names. Thus, certificate authorities in the Web PKI are
Barnes, et al. Expires March 5, 2015 [Page 2]
Internet-Draft ACME September 2014
trusted to verify that an applicant for a certificate legitimately
represents the domain name(s) in the certificate.
Existing Web PKI certificate authorities tend to run on a set of ad-
hoc protocols for certificate issuance and identity verification. A
typical user experience is something like:
o Generate a PKCS#10 [RFC2314] Certificate Signing Request (CSR).
o Cut-and-paste the CSR into a CA web page.
o Prove ownership of the domain by one of the following methods:
* Put a CA-provided challenge at a specific place on the web
server
* Put a CA-provided challenge at a DNS location corresponding to
the target domain.
* Receive CA challenge at a (hopefully) administrator-controlled
e-mail address corresponding to the domain and then respond to
it on the CA's web page.
o Download the issued certificate and install it on their Web
Server.
With the exception of the CSR itself and the certificates that are
issued, these are all completely ad hoc procedures and are
accomplished by getting the human user to follow interactive natural-
language instructions from the CA rather than by machine-implemented
published protocols. In many cases, the instructions are difficult
to follow and cause significant confusion. Informal usability tests
by the authors indicate that webmasters often need 1-3 hours to
obtain and install a certificate for a domain. Even in the best
case, the lack of published, standardized mechanisms presents an
obstacle to the wide deployment of HTTPS and other PKIX-dependent
systems because it inhibits mechanization of tasks related to
certificate issuance, deployment, and revocation.
This document describes an extensible framework for automating the
issuance and domain validation procedure, thereby allowing servers
and infrastructural software to obtain certificates without user
interaction. Use of this protocol should radically simplify the
deployment of HTTPS and the practicality of PKIX authentication for
other TLS based protocols.
Barnes, et al. Expires March 5, 2015 [Page 3]
Internet-Draft ACME September 2014
2. Deployment Model and Operator Experience
The major guiding use case for ACME is obtaining certificates for Web
sites (HTTPS [RFC2818]). In that case, the server is intended to
speak for one or more domains, and the process of certificate
issuance is intended to verify that the server actually speaks for
the domain.
Different types of certificates reflect different kinds of CA
verification of information about the certificate subject. "Domain
Validation" (DV) certificates are by far the most common type. For
DV validation, the CA merely verifies that the requester has
effective control of the domain, but does not explicitly attempt to
verify their real-world identity. (This is as opposed to
"Organization Validation" (OV) and "Extended Validation" (EV)
certificates, where the process is intended to also verify the real-
world identity of the requester.)
DV certificate validation commonly checks claims about properties
related to control of a domain name - properties that can be observed
by the issuing authority in an interactive process that can be
conducted purely online. That means that under typical
circumstances, all steps in the request, verification, and issuance
process can be represented and performed by Internet protocols with
no out-of-band human intervention.
When an operator deploys a current HTTPS server, it generally prompts
him to generate a self-signed certificate. When an operator deploys
an ACME-compatible web server, the experience would be something like
this:
o The web server prompts the operator for the intended domain
name(s) that the web server is to stand for.
o The web server presents the operator with a list of CAs which it
could get a certificate from using ACME. The web server might
prompt the operator for payment information at this point.
o Once the operator has selected a CA, the web server tells the
operator that he will have a certificate shortly.
o In the background, the web server contacts the CA and uses ACME to
request that a certificate be issued for the intended domain
name(s).
o Once the CA is satisfied, the certificate is issued and the web
server automatically downloads and installs it, potentially
notifying the operator via e-mail, SMS, etc.
Barnes, et al. Expires March 5, 2015 [Page 4]
Internet-Draft ACME September 2014
o The web server periodically contacts the CA to get updated
certificates, stapled OCSP responses, or whatever else would be
required to keep the server functional and its credentials up-to-
date.
The overall idea is that it's nearly as easy to deploy with a CA-
issued certificate as a self-signed certificate, and that once the
operator has done so, the process is self-sustaining with minimal
manual intervention. Close integration of ACME with HTTPS servers,
for example, can allow the immediate and automated deployment of
certificates as they are issued, optionally sparing the human
administrator from additional configuration work.
3. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
The two main roles in ACME are "client" and "server" The ACME client
uses the protocol to request certificate management actions, such as
issuance or revocation. An ACME client therefore typically runs on a
web server, mail server, or some other server system which requires
valid TLS certificates. The ACME server is a certificate authority,
or an interface to one, which responds to client requests, performing
the requested actions if the client is authorized.
For simplicity, in the HTTPS transactions used by ACME, the ACME
client is the HTTPS client and the ACME server is the HTTPS server.
In the discussion below, we will refer to three different types of
keys / key pairs:
Subject Public Key: A public key to be included in a certificate.
Authorized Key Pair: A key pair for which the ACME server considers
the holder of the private key authorized to manage certificates
for a given identifier. The same key pair may be authorized for
multiple identifiers.
Recovery Token: A secret value that can be used to demonstrate prior
authorization for an identifier, in a situation where all Subject
Private Keys and Authorized Keys are lost.
ACME messaging is based on HTTPS [RFC2818] and JSON [RFC7159]. Since
JSON is a text-based format, binary fields are Base64-encoded. For
Base64 encoding, we use the variant defined in
[I-D.ietf-jose-json-web-signature]. The important features of this
Barnes, et al. Expires March 5, 2015 [Page 5]
Internet-Draft ACME September 2014
encoding are (1) that it uses the URL-safe character set, and (2)
that "=" padding characters are stripped.
4. Protocol Overview
ACME allows a client to request certificate management actions using
a set of JSON messages carried over HTTPS. It is a prerequisite for
this process that the client be configured with the HTTPS URI for the
server. ACME messages MUST NOT be carried over "plain" HTTP, without
HTTPS semantics.
In some ways, ACME functions much like a traditional CA, in which a
user creates an account, adds domains to that account (proving
control of the domains), and requests certificate issuance for those
domains while logged in to the account. In ACME, the account is
represented by a key pair. The "add a domain" function is
accomplished by authorizing the key pair for a given domain, and
certificate issuance is authorized by a signature with the key pair.
The first phase of ACME is for the client to establish an authorized
key pair with the server for the identifier(s) it wishes to include
in the certificate. To do this, the client must demonstrate to the
server both (1) that it holds the private key of the key pair being
authorized, and (2) that it has authority over the identifier being
claimed.
In the key authorization process, then, the server presents the
client with two tests. First, a task to demonstrate that the client
holds the private key of key pair being authorized, and second, a set
of challenges that the client can perform to demonstrate its
authority over the domain in question.
Because there are many different ways to validate possession of
different types of identifiers, the server will choose from an
extensible set of challenges that are appropriate for the identifier
being claimed. For example, if the client requests a domain name,
the server might challenge the client to provision a record in the
DNS under that name, or to provision a file on a web server reference
by an A or AAAA record under that name.
After the client has prepared responses to the server's challenges,
it sends a second request with its responses to these challenges.
The server's response indicates whether the request for authorization
has succeeded or failed. If the authorization request succeeded, the
server also provides a recovery token, which the client can use in a
later authorization transaction to show that it is the same as the
entity that participated in this authorization.
Barnes, et al. Expires March 5, 2015 [Page 6]
Internet-Draft ACME September 2014
Client Server
Desired identifier ------->
PoP nonce
Session ID
<------- Identifier Challenges
Public key
Session ID
PoP nonce
PoP signature
[Contact information]
Responses to challenges ------->
<------- Recovery token
Once the client has established an authorized key pair for an
identifier, it can use the key pair to authorized the issuance of
certificates for the identifier. To do this, the client sends a
PKCS#10 Certificate Signing Request (CSR) to the server (indicating
the identifier(s) to be included in the issued certificate), and a
signature over th CSR by the private key of the authorized key pair.
If the server agrees to issue the certificate, then it creates the
certificate and provides it in its response. The server may also
provide a URI that can be used to renew the certificate, if it allows
renewal without re-validation.
Client Server
CSR
Signature by auth'd key -------->
Certificate
<-------- Renewal URI
To revoke a certificate, the client simply sends a revocation
request, signed with an authorized key pair, and the server indicates
whether the request has succeeded.
Barnes, et al. Expires March 5, 2015 [Page 7]
Internet-Draft ACME September 2014
Client Server
Revocation request
Signature by auth'd key -------->
<-------- Result
Note that while ACME is defined with enough flexibility to handle
different types of identifiers in principle, the primary use case
addressed by this document is the case where domain names are used as
identifiers. For example, all of the identifier validation
challenges described in Section {#validation} below address
validation of domain names. The use of ACME for other protocols will
require further specification, in order to describe how these
identifiers are encoded in the protocol, and what types of validation
challenges the server might require.
5. Certificate Management
In this section, we describe the four certificate management
functions that ACME enables:
o Key Authorization
o Certificate Issuance
o Certificate Revocation
Each of these functions is accomplished by the client sending a
sequence of HTTPS requests to the server, carrying JSON messages. So
each subsection below describes the message formats used by the
function, and the order in which messages are sent.
All ACME messages share some common structure. At base, each ACME
message is a JSON dictionary, and MUST include a "type" field to
indicate which type of message it is.
type (required, string): The type of ACME message encoded in this
JSON dictionary.
All other fields in an ACME message are defined by the type, as
described below. Unrecognized fields in ACME messages MUST be
ignored. Creators of ACME messages MUST NOT create messages with
duplicate fields. Parsers of ACME messages MAY be tolerant of
duplicate fields, but the behavior of the protocol in this case is
undefined.
Barnes, et al. Expires March 5, 2015 [Page 8]
Internet-Draft ACME September 2014
5.1. General Request/Response Lifecycle
Client-server interactions in ACME are logically request/response
transactions, corresponding directly to HTTPS requests and responses.
The client sends a request message of a particular type, and the
server sends response of a corresponding type.
All requests for a given ACME server are sent to the same HTTPS URI.
It is assumed that clients are configured with this URI out of band.
ACME requests MUST use the POST method, and since they carry JSON
payloads, SHOULD set the Content-Type header field to "application/
json". ACME responses MUST be carried in HTTP responses with the
status code 200. ACME clients SHOULD follow HTTP redirects (301 or
302 responses), in case an ACME server is relocated.
ACME provides three general message types - "error", "defer", and
"statusRequest" - to cover cases where the server is not able to
return a successful result immediately. If there is a problem that
prevents the request from succeeding, then the server sends an error
message. The fields in an error message are as follows:
type (required, string): "error"
error (required, string): A token from the below list indicating
what type of error occurred.
message (optional, string): A human-readable string describing the
error.
moreInfo (optional, string): A URL of a resource containing
additional human-readable documentation about the error, such as
advice on how to revise the request or adjust the client
configuration to allow the request to succeed, or documentation of
CA issuance policies that describe why the request cannot be
fulfilled.
{
"type": "error",
"error": "badCSR",
"message": "RSA keys must be at least 2048 bits long",
"moreInfo": "https://ca.example.com/documentation/csr-requirements"
}
The possible error codes are as follows:
Barnes, et al. Expires March 5, 2015 [Page 9]
Internet-Draft ACME September 2014
+----------------+--------------------------------------------------+
| Code | Semantic |
+----------------+--------------------------------------------------+
| malformed | The request message was malformed |
| | |
| unauthorized | The client lacks sufficient authorization |
| | |
| serverInternal | The server experienced an internal error |
| | |
| notSupported | The request type is not supported |
| | |
| unknown | The server does not recognize an ID/token in the |
| | request |
| | |
| badCSR | The CSR is unacceptable (e.g., due to a short |
| | key) |
+----------------+--------------------------------------------------+
The server may also defer providing a response by sending a defer
message. For example, in the key authorization process, the server
may need additional time to validate the client's responses to its
challenges. Or in the issuance process, there may be some delay due
to batch signing. The fields in a defer message are as follows:
type (required, string): "defer"
token (required, string): An opaque value that the client uses to
check on the status of the request (using a statusRequest
message).
interval (optional, number): The amount of time, in seconds, that
the client should wait before checking on the status of the
request. (This is a recommendation only, and clients SHOULD
enforce minimum and maximum deferral times.)
message (optional, string): A human-readable string describing the
reason for the deferral.
For example, a deferral due to batch signing might be indicated with
a message of the following form:
{
"type": "defer",
"token": "O7-s9MNq1siZHlgrMzi9_A",
"message": "Warming up the HSM"
}
Barnes, et al. Expires March 5, 2015 [Page 10]
Internet-Draft ACME September 2014
When a client receives a defer message, it periodically sends a
statusRequest message to the server, with the token provided in the
defer message.
type (required, string): "statusRequest"
token (required, string): An opaque value that was provided in a
defer message.
{
"type": "statusRequest",
"token": "O7-s9MNq1siZHlgrMzi9_A"
}
If the server responds with another defer message, then the server
still does not have a final response. The client MUST ignore the
"token" value in defer responses provided in responses to status
requests, and continue polling with the original token. Any non-
defer response (error or success) is considered final, and the client
MUST cease polling.
In summary, the client goes through the following state machine to
perform an ACME transaction:
START
|
V
RESPONSE_WAIT <-----------+
| |
+----------+-----------+ |
| | | |
V V V |
TIMEOUT GOT_FINAL GOT_DEFER --+
The client begins by sending a request and awaiting the response. If
the response contains an ACME message of any type besides "defer",
then the request is completed, and if no response arrives, the
request times out. If a defer request arrives, then the client waits
some time and sends a polling request, whose response is handled in
the same way as the original request.
The following table summarizes the request and response types defined
in this document. If the server provides the client with a non-error
response of a type that does not match the request message type, then
the client MUST treat it as an error message with code
"serverInternal".
Barnes, et al. Expires March 5, 2015 [Page 11]
Internet-Draft ACME September 2014
+----------------------+---------------+
| Request | Response |
+----------------------+---------------+
| challengeRequest | challenge |
| | |
| authorizationRequest | authorization |
| | |
| certificateRequest | certificate |
| | |
| revocationRequest | revocation |
| | |
| statusRequest | (any) |
+----------------------+---------------+
5.2. Signatures
ACME uses a simple JSON-based structure for encoding signatures,
based on the JSON Web Signature structure. An ACME signature is a
JSON object, with the following fields:
alg (required, string): A token indicating the cryptographic
algorithm used to compute the signature
[I-D.ietf-jose-json-web-algorithms] (MAC algorithms such as "HS*"
MUST NOT be used.)
sig (required, string): The signature, base64-encoded.
nonce (required, string): A signer-provided random nonce of at least
16 bytes, base64-encoded. (For anti-replay.)
jwk (required, object): A JSON Web Key object describing the key
used to verify the signature [I-D.ietf-jose-json-web-key].
Each usage of a signature object must specify the content being
signed. To avoid replay risk, the input to the signature algorithm
is the concatenation of the nonce with the content to be signed.
signature-input = nonce || content
A verifier computes the same input before verifying the signature.
Note that while an signature object contains all of the information
required to verify the signature, the verifier must also check that
the public key encoded in the JWK object is the correct key for a
given context.
Barnes, et al. Expires March 5, 2015 [Page 12]
Internet-Draft ACME September 2014
5.3. Key Authorization
The key authorization process establishes a key pair as an authorized
key pair for a given identifier. This process must assure the server
of two things: First, that the client controls the private key of the
key pair, and second, that the client holds the identifier in
question. This process may be repeated to associate multiple
identifiers to a key pair (e.g., to request certificates with
multiple identifiers), or to associate multiple key pairs with an
identifier (e.g., for load balancing).
As illustrated by the figure in the overview section above, the
authorization process proceeds in two transactions. The client first
requests a list of challenges from the server, and then requests
authorization based on its answers to those challenges.
The first request in the key authorization process is a
"challengeRequest" message, specifying the identifier for which the
client will be requesting authorization. The fields in a
challengeRequest message are as follows:
type (required, string): "challengeRequest"
identifier (required, string): The identifier for which
authorization is being sought. For implementations of this
specification, this identifier MUST be a domain name. (If other
types of identifier are supported, then an extension to this
protocol will need to add a field to distinguish types of
identifier.)
{
"type": "challengeRequest",
"identifier": "example.com"
}
On receiving a challengeRequest message, the server determines what
sorts of challenges it will accept as proof that the client holds the
identifier. (The server could also decide that a particular
identifier is invalid or that the server cannot possibly issue
certificates related to that identifier, in which case the server may
return an error.) The set of challenges may be limited by the
server's capabilities, and the server may require different
challenges to be completed for different identifiers (e.g., requiring
a higher standard for higher-value names). In all cases, however,
the server provides a nonce as a proof-of-possession challenge for
the key pair being authorized. The server returns this policy to the
client in a "challenge" message:
Barnes, et al. Expires March 5, 2015 [Page 13]
Internet-Draft ACME September 2014
type (required, string): "challenge"
sessionID (required, string): An opaque string that allows the
server to correlate transactions related to this challenge
request.
nonce (required, string): A base64-encoded octet string that the
client is expected to sign with the private key of the key pair
being authorized.
challenges (required, array): A list of challenges to be fulfilled
by the client in order to prove possession of the identifier. The
syntax for challenges is described in Section Section 6.
combinations (optional, array of arrays): A collection of sets of
challenges, each of which would be sufficient to prove possession
of the identifier. Clients SHOULD complete a set of challenges
that that covers at least one set in this array. Challenges are
represented by their associated zero-based index in the challenges
array.
For example, if the server wants to have the client demonstrate both
that the client controls the domain name in question, and that he is
the same client that previously requested authorization for the
domain name, it might issue the following request. The client is
expected to provide "simpleHttps" and "recoveryToken" responses
("[0,2]"), or else "dns" and "recoveryToken" responses ("[1,2]"), or
all three.
Barnes, et al. Expires March 5, 2015 [Page 14]
Internet-Draft ACME September 2014
{
"type": "challenge",
"sessionID": "aefoGaavieG9Wihuk2aufai3aeZ5EeW4",
"nonce": "czpsrF0KMH6dgajig3TGHw",
"challenges": [
{
"type": "simpleHttps",
"token": "IlirfxKKXAsHtmzK29Pj8A"
},
{
"type": "dns",
"token": "DGyRejmCefe7v4NfDGDKfA"
},
{
"type": "recoveryToken"
}
],
"combinations": [
[0, 2], [1, 2]
]
}
In order to avoid replay attacks, the server MUST generate a fresh
nonce of at least 128 bits for each authorization transaction, and
MUST NOT accept more than one authorizationRequest with the same
nonce.
The client SHOULD satisfy all challenges in one of sets expressed in
the "combinations" array. If a "combinations" field is not
specified, the client SHOULD attempt to fulfill as many challenges as
possible.
Once the client believes that it has fulfilled enough challenges, it
creates an authorizationRequest object requesting authorization of a
key pair for this identifier based on its responses. The
authorizationRequest also contains the public key to be authorized,
and the signature by the corresponding private key over the nonce in
the challenge.
type (required, string): "authorizationRequest"
sessionID (required, string): The session ID provided by the server
in the challenge message (to allow the server to correlate the two
transactions).
nonce (required, string): The nonce provided by the server in the
challenge message.
Barnes, et al. Expires March 5, 2015 [Page 15]
Internet-Draft ACME September 2014
signature (required, object): A signature object reflecting a
signature over the identifier being authorized and the nonce
provided by the server. Thus, for this authorization:
signature-input = signature-nonce || identifier || server-nonce
responses (required, array): The client's responses to the server's
challenges, in the same order as the challenges. If the client
chooses not to respond to a given challenge, then the
corresponding entry in the response array is set to null.
Otherwise, it is set to a value defined by the challenge type.
contact (optional, array): An array of URIs that the server can use
to contact the client for issues related to this authorization.
For example, the server may wish to notify the client about
server-initiated revocation, or check with the client on future
authorizations (see the "recoveryContact" challenge type).
Barnes, et al. Expires March 5, 2015 [Page 16]
Internet-Draft ACME September 2014
{
"type": "authorizationRequest",
"sessionID": "aefoGaavieG9Wihuk2aufai3aeZ5EeW4",
"nonce": "czpsrF0KMH6dgajig3TGHw",
"signature": {
"nonce": "Aenb3DvfvOPImdXdnxHMlp7Jh4qsgYeTEM-dFgFOGxU",
"alg": "ES256",
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "NJ15BoXput18sSwnXA3gJEEnqIAzxSEl9ga8wGM4mEU",
"y": "6l_U9mals_dwt77tIxSiQ6oL_CyLVey4baa8wCn0V9k"
},
"sig": "lxj0Ucdo4r5s1c1cuY2R7oKqWi4QuNJzdwe5/4m9zWQ"
},
"responses": [
{
"type": "simpleHttps",
"path": "Hf5GrX4Q7EBax9hc2jJnfw"
},
null,
{
"type": "recoveryToken",
"token": "23029d88d9e123e"
}
],
"contact": [
"mailto:[email protected]",
"tel:+12025551212"
]
}
Once it has received the client's responses, the server verifies them
according to procedures specific to each challenge type. Because
some of these procedures take time to verify, it is likely that the
server will respond to an authorizationRequest message with a defer
message.
If there is a problem with the authorizationRequest (e.g., the
signature object does not verify), or if the available responses are
not sufficient to convince the server that the client controls the
identifier, then the server responds with an error message. The
server should use the "unauthorized" error code for cases where the
client's responses were insufficient. If the server is satisfied
that the client controls the private key and identifier in question,
then it sends an authorization message indicating the success of the
authorization request, and providing a recovery token that the client
Barnes, et al. Expires March 5, 2015 [Page 17]
Internet-Draft ACME September 2014
can use to help recover authorization if the private key of the
authorized key pair is lost.
type (required, string): "authorization"
recoveryToken (optional, string): An arbitrary server-generated
string. If the server provides a recovery token, it MUST generate
a unique value for every authorization transaction, and this value
MUST NOT be predictable or guessable by a third party.
identifier (optional, string): The identifier for which
authorization has been granted
jwk (optional, object): A JSON Web Key object describing the
authorized public key
5.3.1. Recovery Tokens
A recovery token is a fallback authentication mechanism. In the
event that a client loses all other state, including authorized key
pairs and key pairs bound to certificates, the client can use the
recovery token to prove that it was previously authorized for the
identifier in question.
This mechanism is necessary because once an ACME server has issued an
Authorization Key for a given identifier, that identifier enters a
higher-security state, at least with respect the ACME server. That
state exists to protect against attacks such as DNS hijacking and
router compromise which tend to inherently defeat all forms of Domain
Validation. So once a domain has begun using ACME, new DV-only
authorization will not be performed without proof of continuity via
possession of an Authorized Private Key or potentially a Subject
Private Key for that domain.
This higher state of security poses some risks. From time to time,
the administrators and owners of domains may lose access to keys they
have previously had issued or certified, including Authorized private
keys and Subject private keys. For instance, the disks on which this
key material is stored may suffer failures, or passphrases for these
keys may be forgotten. In some cases, the security measures that are
taken to protect this sensitive data may contribute to its loss.
Recovery Tokens and Recovery Challenges exist to provide a fallback
mechanism to restore the state of the domain to the server-side