draft-ietf-acme-tls-alpn-03.txt   draft-ietf-acme-tls-alpn-04.txt 
ACME Working Group R. Shoemaker ACME Working Group R. Shoemaker
Internet-Draft ISRG Internet-Draft ISRG
Intended status: Standards Track August 13, 2018 Intended status: Standards Track August 15, 2018
Expires: February 14, 2019 Expires: February 16, 2019
ACME TLS ALPN Challenge Extension ACME TLS ALPN Challenge Extension
draft-ietf-acme-tls-alpn-03 draft-ietf-acme-tls-alpn-04
Abstract Abstract
This document specifies a new challenge for the Automated Certificate This document specifies a new challenge for the Automated Certificate
Management Environment (ACME) protocol which allows for domain Management Environment (ACME) protocol which allows for domain
control validation using TLS. control validation using TLS.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 14, 2019. This Internet-Draft will expire on February 16, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 43 skipping to change at page 3, line 43
HTTP/1.1 200 OK HTTP/1.1 200 OK
{ {
"type": "tls-alpn-01", "type": "tls-alpn-01",
"url": "https://example.com/acme/authz/1234/1", "url": "https://example.com/acme/authz/1234/1",
"status": "pending", "status": "pending",
"token": "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA" "token": "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA"
} }
The client prepares for validation by constructing a self-signed The client prepares for validation by constructing a self-signed
certificate which MUST contain a acmeValidation-v1 extension and a certificate which MUST contain a acmeIdentifier extension and a
subjectAlternativeName extension [RFC5280]. The subjectAlternativeName extension [RFC5280]. The
subjectAlternativeName extension MUST contain a single dNSName entry subjectAlternativeName extension MUST contain a single dNSName entry
where the value is the domain name being validated. The where the value is the domain name being validated. The
acmeValidation-v1 extension MUST contain the SHA-256 digest acmeIdentifier extension MUST contain the SHA-256 digest [FIPS180-4]
[FIPS180-4] of the key authorization [I-D.ietf-acme-acme] for the of the key authorization [I-D.ietf-acme-acme] for the challenge. The
challenge. The acmeValidation extension MUST be critical so that the acmeIdentifier extension MUST be critical so that the certificate
certificate isn't inadvertently used by non-ACME software. isn't inadvertently used by non-ACME software.
id-pe-acmeIdentifier OBJECT IDENTIFIER ::= { id-pe 31 } The acmeIdentifier extension has the following format:
id-pe-acmeIdentifier-v1 OBJECT IDENTIFIER ::= { id-pe-acmeIdentifier 1 } id-pe-acmeIdentifier OBJECT IDENTIFIER ::= { id-pe 31 }
acmeValidation-v1 ::= OCTET STRING (SIZE (32)) Authorization ::= OCTET STRING (SIZE (32))
The extnValue of the id-pe-acmeIdentifier extension is the ASN.1 DER
encoding of the Authorization structure.
Once this certificate has been created it MUST be provisioned such Once this certificate has been created it MUST be provisioned such
that it is returned during a TLS handshake that contains a ALPN that it is returned during a TLS handshake that contains a ALPN
extension containing the value "acme-tls/1" and a SNI extension extension containing the value "acme-tls/1" and a SNI extension
containing the domain name being validated. containing the domain name being validated.
A client responds with an empty object ({}) to acknowledge that the A client responds with an empty object ({}) to acknowledge that the
challenge is ready to be validated by the server. The base64url challenge is ready to be validated by the server. The base64url
encoding of the protected headers and payload is described in encoding of the protected headers and payload is described in
[I-D.ietf-acme-acme] Section 6.1. [I-D.ietf-acme-acme] Section 6.1.
skipping to change at page 5, line 14 skipping to change at page 5, line 14
3. Initiate a TLS connection with the chosen IP address, this 3. Initiate a TLS connection with the chosen IP address, this
connection MUST use TCP port 443. The ClientHello that initiates connection MUST use TCP port 443. The ClientHello that initiates
the handshake MUST contain a ALPN extension with the single the handshake MUST contain a ALPN extension with the single
protocol name "acme-tls/1" and a Server Name Indication [RFC6066] protocol name "acme-tls/1" and a Server Name Indication [RFC6066]
extension containing the domain name being validated. extension containing the domain name being validated.
4. Verify that the ServerHello contains a ALPN extension containing 4. Verify that the ServerHello contains a ALPN extension containing
the value "acme-tls/1" and that the certificate returned contains the value "acme-tls/1" and that the certificate returned contains
a subjectAltName extension containing the dNSName being validated a subjectAltName extension containing the dNSName being validated
and no other entries and a critical acmeValidation extension and no other entries and a critical acmeIdentifier extension
containing the digest computed in step 1. The comparison of containing the digest computed in step 1. The comparison of
dNSNames MUST be case insensitive [RFC4343]. Note that as ACME dNSNames MUST be case insensitive [RFC4343]. Note that as ACME
doesn't support Unicode identifiers all dNSNames MUST be encoded doesn't support Unicode identifiers all dNSNames MUST be encoded
using the [RFC3492] rules. using the [RFC3492] rules.
If all of the above steps succeed then the validation is successful, If all of the above steps succeed then the validation is successful,
otherwise it fails. Once the TLS handshake has been completed the otherwise it fails. Once the TLS handshake has been completed the
connection MUST be immediately closed and no further data should be connection MUST be immediately closed and no further data should be
exchanged. exchanged.
 End of changes. 9 change blocks. 
13 lines changed or deleted 16 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/