draft-ietf-acme-tls-alpn-04.txt   draft-ietf-acme-tls-alpn-05.txt 
ACME Working Group R. Shoemaker ACME Working Group R. Shoemaker
Internet-Draft ISRG Internet-Draft ISRG
Intended status: Standards Track August 15, 2018 Intended status: Standards Track August 16, 2018
Expires: February 16, 2019 Expires: February 17, 2019
ACME TLS ALPN Challenge Extension ACME TLS ALPN Challenge Extension
draft-ietf-acme-tls-alpn-04 draft-ietf-acme-tls-alpn-05
Abstract Abstract
This document specifies a new challenge for the Automated Certificate This document specifies a new challenge for the Automated Certificate
Management Environment (ACME) protocol which allows for domain Management Environment (ACME) protocol which allows for domain
control validation using TLS. control validation using TLS.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 16, 2019. This Internet-Draft will expire on February 17, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 10 skipping to change at page 4, line 10
acmeIdentifier extension MUST be critical so that the certificate acmeIdentifier extension MUST be critical so that the certificate
isn't inadvertently used by non-ACME software. isn't inadvertently used by non-ACME software.
The acmeIdentifier extension has the following format: The acmeIdentifier extension has the following format:
id-pe-acmeIdentifier OBJECT IDENTIFIER ::= { id-pe 31 } id-pe-acmeIdentifier OBJECT IDENTIFIER ::= { id-pe 31 }
Authorization ::= OCTET STRING (SIZE (32)) Authorization ::= OCTET STRING (SIZE (32))
The extnValue of the id-pe-acmeIdentifier extension is the ASN.1 DER The extnValue of the id-pe-acmeIdentifier extension is the ASN.1 DER
encoding of the Authorization structure. encoding of the Authorization structure, which contains the SHA-256
digest of the key authorization for the challenge.
Once this certificate has been created it MUST be provisioned such Once this certificate has been created it MUST be provisioned such
that it is returned during a TLS handshake that contains a ALPN that it is returned during a TLS handshake that contains a ALPN
extension containing the value "acme-tls/1" and a SNI extension extension containing the value "acme-tls/1" and a SNI extension
containing the domain name being validated. containing the domain name being validated.
A client responds with an empty object ({}) to acknowledge that the A client responds with an empty object ({}) to acknowledge that the
challenge is ready to be validated by the server. The base64url challenge is ready to be validated by the server. The base64url
encoding of the protected headers and payload is described in encoding of the protected headers and payload is described in
[I-D.ietf-acme-acme] Section 6.1. [I-D.ietf-acme-acme] Section 6.1.
 End of changes. 4 change blocks. 
5 lines changed or deleted 6 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/