idnits 2.17.1 draft-ietf-acme-acme-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 784 has weird spacing: '...ew-cert rev...' -- The exact meaning of the all-uppercase expression 'NOT REQUIRED' is not defined in RFC 2119. If it is intended as a requirements expression, it should be rewritten using one of the combinations defined in RFC 2119; otherwise it should not be all-uppercase. -- The document date (September 28, 2015) is 3133 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'A-Z' is mentioned on line 652, but not defined == Missing Reference: '0-9' is mentioned on line 652, but not defined -- Looks like a reference, but probably isn't: '0' on line 1281 -- Looks like a reference, but probably isn't: '2' on line 1282 -- Looks like a reference, but probably isn't: '1' on line 1282 == Unused Reference: 'RFC3986' is defined on line 2453, but no explicit reference was found in the text == Unused Reference: 'RFC4514' is defined on line 2458, but no explicit reference was found in the text == Unused Reference: 'RFC4648' is defined on line 2463, but no explicit reference was found in the text == Unused Reference: 'RFC5226' is defined on line 2467, but no explicit reference was found in the text == Unused Reference: 'RFC5280' is defined on line 2477, but no explicit reference was found in the text == Unused Reference: 'RFC7518' is defined on line 2518, but no explicit reference was found in the text == Outdated reference: A later version (-03) exists of draft-ietf-appsawg-http-problem-01 ** Obsolete normative reference: RFC 2314 (Obsoleted by RFC 2986) ** Downref: Normative reference to an Informational RFC: RFC 2985 ** Downref: Normative reference to an Informational RFC: RFC 2986 ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Downref: Normative reference to an Informational RFC: RFC 5753 ** Obsolete normative reference: RFC 5988 (Obsoleted by RFC 8288) ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259) -- Possible downref: Non-RFC (?) normative reference: ref. 'SEC1' -- Obsolete informational reference (is this intentional?): RFC 2818 (Obsoleted by RFC 9110) Summary: 8 errors (**), 0 flaws (~~), 11 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Barnes 3 Internet-Draft Mozilla 4 Intended status: Standards Track J. Hoffman-Andrews 5 Expires: March 31, 2016 EFF 6 J. Kasten 7 University of Michigan 8 September 28, 2015 10 Automatic Certificate Management Environment (ACME) 11 draft-ietf-acme-acme-00 13 Abstract 15 Certificates in the Web's X.509 PKI (PKIX) are used for a number of 16 purposes, the most significant of which is the authentication of 17 domain names. Thus, certificate authorities in the Web PKI are 18 trusted to verify that an applicant for a certificate legitimately 19 represents the domain name(s) in the certificate. Today, this 20 verification is done through a collection of ad hoc mechanisms. This 21 document describes a protocol that a certificate authority (CA) and 22 an applicant can use to automate the process of verification and 23 certificate issuance. The protocol also provides facilities for 24 other certificate management functions, such as certificate 25 revocation. 27 DANGER: Do not implement this specification. It has a known 28 signature reuse vulnerability. For details, see the following 29 discussion: 31 https://mailarchive.ietf.org/arch/msg/acme/F71iz6qq1o_QPVhJCV4dqWf- 32 4Yc 34 Status of This Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at http://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on March 31, 2016. 50 Copyright Notice 52 Copyright (c) 2015 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 68 2. Deployment Model and Operator Experience . . . . . . . . . . 4 69 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 70 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 6 71 5. Protocol Elements . . . . . . . . . . . . . . . . . . . . . . 9 72 5.1. HTTPS Requests . . . . . . . . . . . . . . . . . . . . . 9 73 5.2. Registration Objects . . . . . . . . . . . . . . . . . . 10 74 5.3. Authorization Objects . . . . . . . . . . . . . . . . . . 11 75 5.4. Errors . . . . . . . . . . . . . . . . . . . . . . . . . 13 76 5.5. Replay protection . . . . . . . . . . . . . . . . . . . . 14 77 5.5.1. Replay-Nonce . . . . . . . . . . . . . . . . . . . . 14 78 5.5.2. "nonce" (Nonce) JWS header parameter . . . . . . . . 15 79 5.6. Key Agreement . . . . . . . . . . . . . . . . . . . . . . 15 80 6. Certificate Management . . . . . . . . . . . . . . . . . . . 16 81 6.1. Resources . . . . . . . . . . . . . . . . . . . . . . . . 16 82 6.2. Directory . . . . . . . . . . . . . . . . . . . . . . . . 18 83 6.3. Registration . . . . . . . . . . . . . . . . . . . . . . 18 84 6.3.1. Recovery Keys . . . . . . . . . . . . . . . . . . . . 20 85 6.4. Account Recovery . . . . . . . . . . . . . . . . . . . . 22 86 6.4.1. MAC-Based Recovery . . . . . . . . . . . . . . . . . 23 87 6.4.2. Contact-Based Recovery . . . . . . . . . . . . . . . 25 88 6.5. Identifier Authorization . . . . . . . . . . . . . . . . 27 89 6.6. Certificate Issuance . . . . . . . . . . . . . . . . . . 31 90 6.7. Certificate Revocation . . . . . . . . . . . . . . . . . 34 91 7. Identifier Validation Challenges . . . . . . . . . . . . . . 35 92 7.1. Simple HTTP . . . . . . . . . . . . . . . . . . . . . . . 37 93 7.2. Domain Validation with Server Name Indication (DVSNI) . . 39 94 7.3. Proof of Possession of a Prior Key . . . . . . . . . . . 41 95 7.4. DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 97 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46 98 9. Security Considerations . . . . . . . . . . . . . . . . . . . 46 99 9.1. Threat model . . . . . . . . . . . . . . . . . . . . . . 47 100 9.2. Integrity of Authorizations . . . . . . . . . . . . . . . 48 101 9.3. Preventing Authorization Hijacking . . . . . . . . . . . 51 102 9.4. Denial-of-Service Considerations . . . . . . . . . . . . 52 103 9.5. CA Policy Considerations . . . . . . . . . . . . . . . . 52 104 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 53 105 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 54 106 11.1. Normative References . . . . . . . . . . . . . . . . . . 54 107 11.2. Informative References . . . . . . . . . . . . . . . . . 56 108 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 56 110 1. Introduction 112 Certificates in the Web PKI are most commonly used to authenticate 113 domain names. Thus, certificate authorities in the Web PKI are 114 trusted to verify that an applicant for a certificate legitimately 115 represents the domain name(s) in the certificate. 117 Existing Web PKI certificate authorities tend to run on a set of ad 118 hoc protocols for certificate issuance and identity verification. A 119 typical user experience is something like: 121 o Generate a PKCS#10 [RFC2314] Certificate Signing Request (CSR). 123 o Cut-and-paste the CSR into a CA web page. 125 o Prove ownership of the domain by one of the following methods: 127 * Put a CA-provided challenge at a specific place on the web 128 server. 130 * Put a CA-provided challenge at a DNS location corresponding to 131 the target domain. 133 * Receive CA challenge at a (hopefully) administrator-controlled 134 e-mail address corresponding to the domain and then respond to 135 it on the CA's web page. 137 o Download the issued certificate and install it on their Web 138 Server. 140 With the exception of the CSR itself and the certificates that are 141 issued, these are all completely ad hoc procedures and are 142 accomplished by getting the human user to follow interactive natural- 143 language instructions from the CA rather than by machine-implemented 144 published protocols. In many cases, the instructions are difficult 145 to follow and cause significant confusion. Informal usability tests 146 by the authors indicate that webmasters often need 1-3 hours to 147 obtain and install a certificate for a domain. Even in the best 148 case, the lack of published, standardized mechanisms presents an 149 obstacle to the wide deployment of HTTPS and other PKIX-dependent 150 systems because it inhibits mechanization of tasks related to 151 certificate issuance, deployment, and revocation. 153 This document describes an extensible framework for automating the 154 issuance and domain validation procedure, thereby allowing servers 155 and infrastructural software to obtain certificates without user 156 interaction. Use of this protocol should radically simplify the 157 deployment of HTTPS and the practicality of PKIX authentication for 158 other protocols based on TLS [RFC5246]. 160 2. Deployment Model and Operator Experience 162 The major guiding use case for ACME is obtaining certificates for Web 163 sites (HTTPS [RFC2818]). In that case, the server is intended to 164 speak for one or more domains, and the process of certificate 165 issuance is intended to verify that the server actually speaks for 166 the domain. 168 Different types of certificates reflect different kinds of CA 169 verification of information about the certificate subject. "Domain 170 Validation" (DV) certificates are by far the most common type. For 171 DV validation, the CA merely verifies that the requester has 172 effective control of the web server and/or DNS server for the domain, 173 but does not explicitly attempt to verify their real-world identity. 174 (This is as opposed to "Organization Validation" (OV) and "Extended 175 Validation" (EV) certificates, where the process is intended to also 176 verify the real-world identity of the requester.) 178 DV certificate validation commonly checks claims about properties 179 related to control of a domain name - properties that can be observed 180 by the issuing authority in an interactive process that can be 181 conducted purely online. That means that under typical 182 circumstances, all steps in the request, verification, and issuance 183 process can be represented and performed by Internet protocols with 184 no out-of-band human intervention. 186 When an operator deploys a current HTTPS server, it generally prompts 187 him to generate a self-signed certificate. When an operator deploys 188 an ACME-compatible web server, the experience would be something like 189 this: 191 o The ACME client prompts the operator for the intended domain 192 name(s) that the web server is to stand for. 194 o The ACME client presents the operator with a list of CAs from 195 which it could get a certificate. (This list will change over 196 time based on the capabilities of CAs and updates to ACME 197 configuration.) The ACME client might prompt the operator for 198 payment information at this point. 200 o The operator selects a CA. 202 o In the background, the ACME client contacts the CA and requests 203 that a certificate be issued for the intended domain name(s). 205 o Once the CA is satisfied, the certificate is issued and the ACME 206 client automatically downloads and installs it, potentially 207 notifying the operator via e-mail, SMS, etc. 209 o The ACME client periodically contacts the CA to get updated 210 certificates, stapled OCSP responses, or whatever else would be 211 required to keep the server functional and its credentials up-to- 212 date. 214 The overall idea is that it's nearly as easy to deploy with a CA- 215 issued certificate as a self-signed certificate, and that once the 216 operator has done so, the process is self-sustaining with minimal 217 manual intervention. Close integration of ACME with HTTPS servers, 218 for example, can allow the immediate and automated deployment of 219 certificates as they are issued, optionally sparing the human 220 administrator from additional configuration work. 222 3. Terminology 224 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 225 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 226 document are to be interpreted as described in RFC 2119 [RFC2119]. 228 The two main roles in ACME are "client" and "server". The ACME 229 client uses the protocol to request certificate management actions, 230 such as issuance or revocation. An ACME client therefore typically 231 runs on a web server, mail server, or some other server system which 232 requires valid TLS certificates. The ACME server runs at a 233 certificate authority, and responds to client requests, performing 234 the requested actions if the client is authorized. 236 For simplicity, in all HTTPS transactions used by ACME, the ACME 237 client is the HTTPS client and the ACME server is the HTTPS server. 239 In the discussion below, we will refer to three different types of 240 keys / key pairs: 242 Subject Public Key: A public key to be included in a certificate. 244 Account Key Pair: A key pair for which the ACME server considers the 245 holder of the private key authorized to manage certificates for a 246 given identifier. The same key pair may be authorized for 247 multiple identifiers. 249 Recovery Key: A MAC key that a client can use to demonstrate that it 250 participated in a prior registration transaction. 252 ACME messaging is based on HTTPS [RFC2818] and JSON [RFC7159]. Since 253 JSON is a text-based format, binary fields are Base64-encoded. For 254 Base64 encoding, we use the variant defined in [RFC7515]. The 255 important features of this encoding are (1) that it uses the URL-safe 256 character set, and (2) that "=" padding characters are stripped. 258 Some HTTPS bodies in ACME are authenticated and integrity-protected 259 by being encapsulated in a JSON Web Signature (JWS) object [RFC7515]. 260 ACME uses a profile of JWS, with the following restrictions: 262 o The JWS MUST use the Flattened JSON Serialization 264 o The JWS MUST be encoded using UTF-8 266 o The JWS Header or Protected Header MUST include "alg" and "jwk" 267 fields 269 o The JWS MUST NOT have the value "none" in its "alg" field 271 Additionally, JWS objects used in ACME MUST include the "nonce" 272 header parameter, defined below. 274 4. Protocol Overview 276 ACME allows a client to request certificate management actions using 277 a set of JSON messages carried over HTTPS. In some ways, ACME 278 functions much like a traditional CA, in which a user creates an 279 account, adds identifiers to that account (proving control of the 280 domains), and requests certificate issuance for those domains while 281 logged in to the account. 283 In ACME, the account is represented by an account key pair. The "add 284 a domain" function is accomplished by authorizing the key pair for a 285 given domain. Certificate issuance and revocation are authorized by 286 a signature with the key pair. 288 The first phase of ACME is for the client to register with the ACME 289 server. The client generates an asymmetric key pair and associates 290 this key pair with a set of contact information by signing the 291 contact information. The server acknowledges the registration by 292 replying with a registration object echoing the client's input. 294 Client Server 296 Contact Information 297 Signature -------> 299 <------- Registration 301 Before a client can issue certificates, it must establish an 302 authorization with the server for an account key pair to act for the 303 identifier(s) that it wishes to include in the certificate. To do 304 this, the client must demonstrate to the server both (1) that it 305 holds the private key of the account key pair, and (2) that it has 306 authority over the identifier being claimed. 308 Proof of possession of the account key is built into the ACME 309 protocol. All messages from the client to the server are signed by 310 the client, and the server verifies them using the public key of the 311 account key pair. 313 To verify that the client controls the identifier being claimed, the 314 server issues the client a set of challenges. Because there are many 315 different ways to validate possession of different types of 316 identifiers, the server will choose from an extensible set of 317 challenges that are appropriate for the identifier being claimed. 318 The client responds with a set of responses that tell the server 319 which challenges the client has completed. The server then validates 320 the challenges to check that the client has accomplished the 321 challenge. 323 For example, if the client requests a domain name, the server might 324 challenge the client to provision a record in the DNS under that 325 name, or to provision a file on a web server referenced by an A or 326 AAAA record under that name. The server would then query the DNS for 327 the record in question, or send an HTTP request for the file. If the 328 client provisioned the DNS or the web server as expected, then the 329 server considers the client authorized for the domain name. 331 Client Server 333 Identifier 334 Signature -------> 336 <------- Challenges 338 Responses 339 Signature -------> 341 <------- Updated Challenge 343 <~~~~~~~~Validation~~~~~~~~> 345 Poll -------> 347 <------- Authorization 349 Once the client has authorized an account key pair for an identifier, 350 it can use the key pair to authorize the issuance of certificates for 351 the identifier. To do this, the client sends a PKCS#10 Certificate 352 Signing Request (CSR) to the server (indicating the identifier(s) to 353 be included in the issued certificate) and a signature over the CSR 354 by the private key of the account key pair. 356 If the server agrees to issue the certificate, then it creates the 357 certificate and provides it in its response. The certificate is 358 assigned a URI, which the client can use to fetch updated versions of 359 the certificate. 361 Client Server 363 CSR 364 Signature --------> 366 <-------- Certificate 368 To revoke a certificate, the client simply sends a revocation 369 request, signed with an authorized key pair, and the server indicates 370 whether the request has succeeded. 372 Client Server 374 Revocation request 375 Signature --------> 377 <-------- Result 379 Note that while ACME is defined with enough flexibility to handle 380 different types of identifiers in principle, the primary use case 381 addressed by this document is the case where domain names are used as 382 identifiers. For example, all of the identifier validation 383 challenges described in Section 7 below address validation of domain 384 names. The use of ACME for other protocols will require further 385 specification, in order to describe how these identifiers are encoded 386 in the protocol, and what types of validation challenges the server 387 might require. 389 5. Protocol Elements 391 This section describes several components that are used by ACME, and 392 general rules that apply to ACME transactions. 394 5.1. HTTPS Requests 396 Each ACME function is accomplished by the client sending a sequence 397 of HTTPS requests to the server, carrying JSON messages. Use of 398 HTTPS is REQUIRED. Clients SHOULD support HTTP public key pinning 399 [RFC7469], and servers SHOULD emit pinning headers. Each subsection 400 of Section 6 below describes the message formats used by the 401 function, and the order in which messages are sent. 403 All ACME requests with a non-empty body MUST encapsulate the body in 404 a JWS object, signed using the account key pair. The server MUST 405 verify the JWS before processing the request. (For readability, 406 however, the examples below omit this encapsulation.) Encapsulating 407 request bodies in JWS provides a simple authentication of requests by 408 way of key continuity. 410 Note that this implies that GET requests are not authenticated. 411 Servers MUST NOT respond to GET requests for resources that might be 412 considered sensitive. 414 An ACME request carries a JSON dictionary that provides the details 415 of the client's request to the server. In order to avoid attacks 416 that might arise from sending a request object to a resource of the 417 wrong type, each request object MUST have a "resource" field that 418 indicates what type of resource the request is addressed to, as 419 defined in the below table: 421 +----------------------+------------------+ 422 | Resource type | "resource" value | 423 +----------------------+------------------+ 424 | New registration | new-reg | 425 | | | 426 | Recover registration | recover-reg | 427 | | | 428 | New authorization | new-authz | 429 | | | 430 | New certificate | new-cert | 431 | | | 432 | Revoke certificate | revoke-cert | 433 | | | 434 | Registration | reg | 435 | | | 436 | Authorization | authz | 437 | | | 438 | Challenge | challenge | 439 | | | 440 | Certificate | cert | 441 +----------------------+------------------+ 443 Other fields in ACME request bodies are described below. 445 ACME servers that are intended to be generally accessible need to use 446 Cross-Origin Resource Sharing (CORS) in order to be accessible from 447 browser-based clients [W3C.CR-cors-20130129]. Such servers SHOULD 448 set the Access-Control-Allow-Origin header field to the value "*". 450 5.2. Registration Objects 452 An ACME registration resource represents a set of metadata associated 453 to an account key pair. Registration resources have the following 454 structure: 456 key (required, dictionary): The public key of the account key pair, 457 encoded as a JSON Web Key object [RFC7517]. 459 contact (optional, array of string): An array of URIs that the 460 server can use to contact the client for issues related to this 461 authorization. For example, the server may wish to notify the 462 client about server-initiated revocation. 464 agreement (optional, string): A URI referring to a subscriber 465 agreement or terms of service provided by the server (see below). 466 Including this field indicates the client's agreement with the 467 referenced terms. 469 authorizations (optional, string): A URI from which a list of 470 authorizations granted to this account can be fetched via a GET 471 request. The result of the GET request MUST be a JSON object 472 whose "authorizations" field is an array of strings, where each 473 string is the URI of an authorization belonging to this 474 registration. The server SHOULD include pending authorizations, 475 and SHOULD NOT include authorizations that are invalid or expired. 477 certificates (optional, string): A URI from which a list of 478 certificates issued for this account can be fetched via a GET 479 request. The result of the GET request MUST be a JSON object 480 whose "certificates" field is an array of strings, where each 481 string is the URI of a certificate. The server SHOULD NOT include 482 expired certificates. 484 { 485 "resource": "new-reg", 486 "contact": [ 487 "mailto:cert-admin@example.com", 488 "tel:+12025551212" 489 ], 490 "agreement": "https://example.com/acme/terms", 491 "authorizations": "https://example.com/acme/reg/1/authz", 492 "certificates": "https://example.com/acme/reg/1/cert", 493 } 495 5.3. Authorization Objects 497 An ACME authorization object represents server's authorization for an 498 account to represent an identifier. In addition to the identifier, 499 an authorization includes several metadata fields, such as the status 500 of the authorization (e.g., "pending", "valid", or "revoked") and 501 which challenges were used to validate possession of the identifier. 503 The structure of an ACME authorization resource is as follows: 505 identifier (required, dictionary of string): The identifier that the 506 account is authorized to represent 508 type (required, string): The type of identifier. 510 value (required, string): The identifier itself. 512 status (optional, string): The status of this authorization. 513 Possible values are: "unknown", "pending", "processing", "valid", 514 "invalid" and "revoked". If this field is missing, then the 515 default value is "pending". 517 expires (optional, string): The date after which the server will 518 consider this authorization invalid, encoded in the format 519 specified in RFC 3339 [RFC3339]. 521 challenges (required, array): The challenges that the client needs 522 to fulfill in order to prove possession of the identifier (for 523 pending authorizations). For final authorizations, the challenges 524 that were used. Each array entry is a dictionary with parameters 525 required to validate the challenge, as specified in Section 7. 527 combinations (optional, array of arrays of integers): A collection 528 of sets of challenges, each of which would be sufficient to prove 529 possession of the identifier. Clients complete a set of 530 challenges that that covers at least one set in this array. 531 Challenges are identified by their indices in the challenges 532 array. If no "combinations" element is included in an 533 authorization object, the client completes all challenges. 535 The only type of identifier defined by this specification is a fully- 536 qualified domain name (type: "dns"). The value of the identifier 537 MUST be the ASCII representation of the domain name. Wildcard domain 538 names (with "*" as the first label) MUST NOT be included in 539 authorization requests. See Section 6.6 below for more information 540 about wildcard domains. 542 { 543 "status": "valid", 544 "expires": "2015-03-01", 546 "identifier": { 547 "type": "dns", 548 "value": "example.org" 549 }, 551 "challenges": [ 552 { 553 "type": "simpleHttp", 554 "status": "valid", 555 "validated": "2014-12-01T12:05Z", 556 "token": "IlirfxKKXAsHtmzK29Pj8A" 557 } 558 ], 559 } 561 5.4. Errors 563 Errors can be reported in ACME both at the HTTP layer and within ACME 564 payloads. ACME servers can return responses with an HTTP error 565 response code (4XX or 5XX). For example: If the client submits a 566 request using a method not allowed in this document, then the server 567 MAY return status code 405 (Method Not Allowed). 569 When the server responds with an error status, it SHOULD provide 570 additional information using problem document 571 [I-D.ietf-appsawg-http-problem]. The "type" and "detail" fields MUST 572 be populated. To facilitate automatic response to errors, this 573 document defines the following standard tokens for use in the "type" 574 field (within the "urn:acme:" namespace): 576 +----------------+--------------------------------------------------+ 577 | Code | Semantic | 578 +----------------+--------------------------------------------------+ 579 | badCSR | The CSR is unacceptable (e.g., due to a short | 580 | | key) | 581 | | | 582 | badNonce | The client sent an unacceptable anti-replay | 583 | | nonce | 584 | | | 585 | connection | The server could not connect to the client for | 586 | | DV | 587 | | | 588 | dnssec | The server could not validate a DNSSEC signed | 589 | | domain | 590 | | | 591 | malformed | The request message was malformed | 592 | | | 593 | serverInternal | The server experienced an internal error | 594 | | | 595 | tls | The server experienced a TLS error during DV | 596 | | | 597 | unauthorized | The client lacks sufficient authorization | 598 | | | 599 | unknownHost | The server could not resolve a domain name | 600 +----------------+--------------------------------------------------+ 602 Authorization and challenge objects can also contain error 603 information to indicate why the server was unable to validate 604 authorization. 606 TODO: Flesh out errors and syntax for them 608 5.5. Replay protection 610 In order to protect ACME resources from any possible replay attacks, 611 ACME requests have a mandatory anti-replay mechanism. This mechanism 612 is based on the server maintaining a list of nonces that it has 613 issued to clients, and requiring any signed request from the client 614 to carry such a nonce. 616 An ACME server MUST include a Replay-Nonce header field in each 617 successful response it provides to a client, with contents as 618 specified below. In particular, the ACME server MUST provide a 619 Replay-Nonce header field in response to a HEAD request for any valid 620 resource. (This allows clients to easily obtain a fresh nonce.) It 621 MAY also provide nonces in error responses. 623 Every JWS sent by an ACME client MUST include, in its protected 624 header, the "nonce" header parameter, with contents as defined below. 625 As part of JWS verification, the ACME server MUST verify that the 626 value of the "nonce" header is a value that the server previously 627 provided in a Replay-Nonce header field. Once a nonce value has 628 appeared in an ACME request, the server MUST consider it invalid, in 629 the same way as a value it had never issued. 631 When a server rejects a request because its nonce value was 632 unacceptable (or not present), it SHOULD provide HTTP status code 400 633 (Bad Request), and indicate the ACME error code "urn:acme:badNonce". 635 The precise method used to generate and track nonces is up to the 636 server. For example, the server could generate a random 128-bit 637 value for each response, keep a list of issued nonces, and strike 638 nonces from this list as they are used. 640 5.5.1. Replay-Nonce 642 The "Replay-Nonce" header field includes a server-generated value 643 that the server can use to detect unauthorized replay in future 644 client requests. The server should generate the value provided in 645 Replay-Nonce in such a way that they are unique to each message, with 646 high probability. 648 The value of the Replay-Nonce field MUST be an octet string encoded 649 according to the base64url encoding described in Section 2 of 650 [RFC7515]. Clients MUST ignore invalid Replay-Nonce values. 652 base64url = [A-Z] / [a-z] / [0-9] / "-" / "_" 654 Replay-Nonce = *base64url 656 The Replay-Nonce header field SHOULD NOT be included in HTTP request 657 messages. 659 5.5.2. "nonce" (Nonce) JWS header parameter 661 The "nonce" header parameter provides a unique value that enables the 662 verifier of a JWS to recognize when replay has occurred. The "nonce" 663 header parameter MUST be carried in the protected header of the JWS. 665 The value of the "nonce" header parameter MUST be an octet string, 666 encoded according to the base64url encoding described in Section 2 of 667 [RFC7515]. If the value of a "nonce" header parameter is not valid 668 according to this encoding, then the verifier MUST reject the JWS as 669 malformed. 671 5.6. Key Agreement 673 Certain elements of the protocol will require the establishment of a 674 shared secret between the client and the server, in such a way that 675 an entity observing the ACME protocol cannot derive the secret. In 676 these cases, we use a simple ECDH key exchange, based on the system 677 used by CMS [RFC5753]: 679 o Inputs: 681 * Client-generated key pair 683 * Server-generated key pair 685 * Length of the shared secret to be derived 687 * Label 689 o Perform the ECDH primitive operation to obtain Z (Section 3.3.1 of 690 [SEC1]) 692 o Select a hash algorithm according to the curve being used: 694 * For "P-256", use SHA-256 696 * For "P-384", use SHA-384 698 * For "P-521", use SHA-512 700 o Derive the shared secret value using the KDF in Section 3.6.1 of 701 [SEC1] using Z and the selected hash algorithm, and with the UTF-8 702 encoding of the label as the SharedInfo value 704 In cases where the length of the derived secret is shorter than the 705 output length of the chosen hash algorithm, the KDF referenced above 706 reduces to a single hash invocation. The shared secret is equal to 707 the leftmost octets of the following: 709 H( Z || 00000001 || label ) 711 6. Certificate Management 713 In this section, we describe the certificate management functions 714 that ACME enables: 716 o Account Key Registration 718 o Account Recovery 720 o Account Key Authorization 722 o Certificate Issuance 724 o Certificate Renewal 726 o Certificate Revocation 728 6.1. Resources 730 ACME is structured as a REST application with a few types of 731 resources: 733 o Registration resources, representing information about an account 735 o Authorization resources, representing an account's authorization 736 to act for an identifier 738 o Challenge resources, representing a challenge to prove control of 739 an identifier 741 o Certificate resources, representing issued certificates 743 o A "directory" resource 745 o A "new-registration" resource 747 o A "new-authorization" resource 749 o A "new-certificate" resource 751 o A "revoke-certificate" resource 752 For the "new-X" resources above, the server MUST have exactly one 753 resource for each function. This resource may be addressed by 754 multiple URIs, but all must provide equivalent functionality. 756 In general, the intent is for authorization and certificate resources 757 to contain only public information, so that CAs may publish these 758 resources to document what certificates have been issued and how they 759 were authorized. Non-public information, such as contact 760 information, is stored in registration resources. 762 ACME uses different URIs for different management functions. Each 763 function is listed in a directory along with its corresponding URI, 764 so clients only need to be configured with the directory URI. 766 The "up" link relation is used with challenge resources to indicate 767 the authorization resource to which a challenge belongs. It is also 768 used from certificate resources to indicate a resource from which the 769 client may fetch a chain of CA certificates that could be used to 770 validate the certificate in the original resource. 772 The following diagram illustrates the relations between resources on 773 an ACME server. The solid lines indicate link relations, and the 774 dotted lines correspond to relationships expressed in other ways, 775 e.g., the Location header in a 201 (Created) response. 777 directory 778 . 779 . 780 .................................................... 781 . . . . 782 . . . . 783 V "next" V "next" V V 784 new-reg ---+----> new-authz ---+----> new-cert revoke-cert 785 . | . | . ^ 786 . | . | . | "revoke" 787 V | V | V | 788 reg* ----+ authz -----+ cert-----------+ 789 . ^ | 790 . | "up" | "up" 791 V | V 792 challenge cert-chain 794 The following table illustrates a typical sequence of requests 795 required to establish a new account with the server, prove control of 796 an identifier, issue a certificate, and fetch an updated certificate 797 some time after issuance. The "->" is a mnemonic for a Location 798 header pointing to a created resource. 800 +--------------------+----------------+--------------+ 801 | Action | Request | Response | 802 +--------------------+----------------+--------------+ 803 | Register | POST new-reg | 201 -> reg | 804 | | | | 805 | Request challenges | POST new-authz | 201 -> authz | 806 | | | | 807 | Answer challenges | POST challenge | 200 | 808 | | | | 809 | Poll for status | GET authz | 200 | 810 | | | | 811 | Request issuance | POST new-cert | 201 -> cert | 812 | | | | 813 | Check for new cert | GET cert | 200 | 814 +--------------------+----------------+--------------+ 816 The remainder of this section provides the details of how these 817 resources are structured and how the ACME protocol makes use of them. 819 6.2. Directory 821 In order to help clients configure themselves with the right URIs for 822 each ACME operation, ACME servers provide a directory object. This 823 should be the root URL with which clients are configured. It is a 824 JSON dictionary, whose keys are the "resource" values listed in 825 Section 5.1, and whose values are the URIs used to accomplish the 826 corresponding function. 828 Clients access the directory by sending a GET request to the 829 directory URI. 831 HTTP/1.1 200 OK 832 Content-Type: application/json 834 { 835 "new-reg": "https://example.com/acme/new-reg", 836 "recover-reg": "https://example.com/acme/recover-reg", 837 "new-authz": "https://example.com/acme/new-authz", 838 "new-cert": "https://example.com/acme/new-cert", 839 "revoke-cert": "https://example.com/acme/revoke-cert" 840 } 842 6.3. Registration 844 A client creates a new account with the server by sending a POST 845 request to the server's new-registration URI. The body of the 846 request is a stub registration object containing only the "contact" 847 field (along with the required "resource" field). 849 POST /acme/new-registration HTTP/1.1 850 Host: example.com 852 { 853 "resource": "new-reg", 854 "contact": [ 855 "mailto:cert-admin@example.com", 856 "tel:+12025551212" 857 ], 858 } 859 /* Signed as JWS */ 861 The server MUST ignore any values provided in the "key", 862 "authorizations", and "certificates" fields in registration bodies 863 sent by the client, as well as any other fields that it does not 864 recognize. If new fields are specified in the future, the 865 specification of those fields MUST describe whether they may be 866 provided by the client. 868 The server creates a registration object with the included contact 869 information. The "key" element of the registration is set to the 870 public key used to verify the JWS (i.e., the "jwk" element of the JWS 871 header). The server returns this registration object in a 201 872 (Created) response, with the registration URI in a Location header 873 field. The server MUST also indicate its new-authorization URI using 874 the "next" link relation. 876 If the server already has a registration object with the provided 877 account key, then it MUST return a 409 (Conflict) response and 878 provide the URI of that registration in a Location header field. 879 This allows a client that has an account key but not the 880 corresponding registration URI to recover the registration URI. 882 If the server wishes to present the client with terms under which the 883 ACME service is to be used, it MUST indicate the URI where such terms 884 can be accessed in a Link header with link relation "terms-of- 885 service". As noted above, the client may indicate its agreement with 886 these terms by updating its registration to include the "agreement" 887 field, with the terms URI as its value. 889 HTTP/1.1 201 Created 890 Content-Type: application/json 891 Location: https://example.com/acme/reg/asdf 892 Link: ;rel="next" 893 Link: ;rel="recover" 894 Link: ;rel="terms-of-service" 896 { 897 "key": { /* JWK from JWS header */ }, 899 "contact": [ 900 "mailto:cert-admin@example.com", 901 "tel:+12025551212" 902 ] 903 } 905 If the client wishes to update this information in the future, it 906 sends a POST request with updated information to the registration 907 URI. The server MUST ignore any updates to the "key", 908 "authorizations, or "certificates" fields, and MUST verify that the 909 request is signed with the private key corresponding to the "key" 910 field of the request before updating the registration. 912 Servers SHOULD NOT respond to GET requests for registration resources 913 as these requests are not authenticated. If a client wishes to query 914 the server for information about its account (e.g., to examine the 915 "contact" or "certificates" fields), then it SHOULD do so by sending 916 a POST request with an empty update. That is, it should send a JWS 917 whose payload is trivial ({"resource":"reg"}). In this case the 918 server reply MUST contain the same link headers sent for a new 919 registration, to allow a client to retreive the "new-authorization" 920 and "terms-of-service" URI 922 6.3.1. Recovery Keys 924 If the client wishes to establish a secret key with the server that 925 it can use to recover this account later (a "recovery key"), then it 926 must perform a simple key agreement protocol as part of the new- 927 registration transaction. The client and server perform an ECDH 928 exchange through the new-registration transaction (using the 929 technique in Section 5.6), and the result is the recovery key. 931 To request a recovery key, the client includes a "recoveryKey" field 932 in its new-registration request. The value of this field is a JSON 933 object. 935 client (required, JWK): The client's ECDH public key 936 length (required, number): The length of the derived secret, in 937 octets. 939 In the client's request, this object contains a JWK for a random ECDH 940 public key generated by the client and the client-selected length 941 value. Clients need to choose length values that balance security 942 and usability. On the one hand, a longer secret makes it more 943 difficult for an attacker to recover the secret when it is used for 944 recovery (see Section 6.4.1). On the other hand, clients may wish to 945 make the recovery key short enough for a user to easily write it 946 down. 948 POST /acme/new-registration HTTP/1.1 949 Host: example.com 951 { 952 "resource": "new-reg", 953 "contact": [ 954 "mailto:cert-admin@example.com", 955 "tel:+12025551212" 956 ], 957 "recoveryKey": { 958 "client": { "kty": "EC", ... }, 959 "length": 128 960 } 961 } 962 /* Signed as JWS */ 964 The server MUST validate that the elliptic curve ("crv") and length 965 value chosen by the client are acceptable, and that it is otherwise 966 willing to create a recovery key. If not, then it MUST reject the 967 new-registration request. 969 If the server agrees to create a recovery key, then it generates its 970 own random ECDH key pair and combines it with with the client's 971 public key as described in Section 5.6 above, using the label 972 "recovery". The derived secret value is the recovery key. The 973 server then returns to the client the ECDH key that it generated. 974 The server MUST generate a fresh key pair for every transaction. 976 server (required, JWK): The server's ECDH public key 977 HTTP/1.1 201 Created 978 Content-Type: application/json 979 Location: https://example.com/acme/reg/asdf 981 { 982 "key": { /* JWK from JWS header */ }, 984 "contact": [ 985 "mailto:cert-admin@example.com", 986 "tel:+12025551212" 987 ], 989 "recoveryKey": { 990 "server": { "kty": "EC", ... } 991 } 992 } 994 On receiving the server's response, the client can compute the 995 recovery key by combining the server's public key together with the 996 private key corresponding to the public key that it sent to the 997 server. 999 Clients may refresh the recovery key associated with a registration 1000 by sending a POST request with a new recoveryKey object. If the 1001 server agrees to refresh the recovery key, then it responds in the 1002 same way as to a new registration request that asks for a recovery 1003 key. 1005 POST /acme/reg/asdf HTTP/1.1 1006 Host: example.com 1008 { 1009 "resource": "reg", 1010 "recoveryKey": { 1011 "client": { "kty": "EC", ... } 1012 } 1013 } 1014 /* Signed as JWS */ 1016 6.4. Account Recovery 1018 Once a client has created an account with an ACME server, it is 1019 possible that the private key for the account will be lost. The 1020 recovery contacts included in the registration allows the client to 1021 recover from this situation, as long as it still has access to these 1022 contacts. 1024 By "recovery", we mean that the information associated with an old 1025 account key is bound to a new account key. When a recovery process 1026 succeeds, the server provides the client with a new registration 1027 whose contents are the same as base registration object - except for 1028 the "key" field, which is set to the new account key. The server 1029 reassigns resources associated with the base registration to the new 1030 registration (e.g., authorizations and certificates). The server 1031 SHOULD delete the old registration resource after it has been used as 1032 a base for recovery. 1034 In addition to the recovery mechanisms defined by ACME, individual 1035 client implementations may also offer implementation-specific 1036 recovery mechanisms. For example, if a client creates account keys 1037 deterministically from a seed value, then this seed could be used to 1038 recover the account key by re-generating it. Or an implementation 1039 could escrow an encrypted copy of the account key with a cloud 1040 storage provider, and give the encryption key to the user as a 1041 recovery value. 1043 6.4.1. MAC-Based Recovery 1045 With MAC-based recovery, the client proves to the server that it 1046 holds a secret value established in the initial registration 1047 transaction. The client requests MAC-based recovery by sending a MAC 1048 over the new account key, using the recovery key from the initial 1049 registration. 1051 method (required, string): The string "mac" 1053 base (required, string): The URI for the registration to be 1054 recovered. 1056 mac (required, string): A JSON-formatted JWS object using an HMAC 1057 algorithm, whose payload is the JWK representation of the public 1058 key of the new account key pair. 1060 POST /acme/recover-reg HTTP/1.1 1061 Host: example.com 1063 { 1064 "resource": "recover-reg", 1065 "method": "mac", 1066 "base": "https://example.com/acme/reg/asdf", 1067 "mac": { 1068 "header": { "alg": "HS256" }, 1069 "payload": base64(JWK(newAccountKey)), 1070 "signature": "5wUrDI3eAaV4wl2Rfj3aC0Pp--XB3t4YYuNgacv_D3U" 1071 } 1072 } 1073 /* Signed as JWS, with new account key */ 1075 On receiving such a request the server MUST verify that: 1077 o The base registration has a recovery key associated with it 1079 o The "alg" value in the "mac" JWS represents a MAC algorithm 1081 o The "mac" JWS is valid according to the validation rules in 1082 [RFC7515], using the recovery key as the MAC key 1084 o The JWK in the payload represents the new account key (i.e. the 1085 key used to verify the ACME message) 1087 If those conditions are met, and the recovery request is otherwise 1088 acceptable to the server, then the recovery process has succeeded. 1089 The server creates a new registration resource based on the base 1090 registration and the new account key, and returns it on a 201 1091 (Created) response, together with a Location header indicating a URI 1092 for the new registration. If the recovery request is unsuccessful, 1093 the server returns an error response, such as 403 (Forbidden). 1095 HTTP/1.1 201 Created 1096 Content-Type: application/json 1097 Location: https://example.com/acme/reg/asdf 1098 Link: ;rel="next" 1099 Link: ;rel="recover" 1100 Link: ;rel="terms-of-service" 1102 { 1103 "key": { /* JWK from JWS header */ }, 1105 "contact": [ 1106 "mailto:cert-admin@example.com", 1107 "tel:+12025551212" 1108 ], 1110 "authorizations": "...", 1111 "certificate": "..." 1112 } 1114 6.4.2. Contact-Based Recovery 1116 In the contact-based recovery process, the client requests that the 1117 server send a message to one of the contact URIs registered for the 1118 account. That message indicates some action that the server requires 1119 the client's user to perform, e.g., clicking a link in an email. If 1120 the user successfully completes the server's required actions, then 1121 the server will bind the account to the new account key. 1123 (Note that this process is almost entirely out of band with respect 1124 to ACME. ACME only allows the client to initiate the process, and 1125 the server to indicate the result.) 1127 To initiate contact-based recovery, the client sends a POST request 1128 to the server's recover-registration URI, with a body specifying 1129 which registration is to be recovered. The body of the request MUST 1130 be signed by the client's new account key pair. 1132 method (required, string): The string "contact" 1134 base (required, string): The URI for the registration to be 1135 recovered. 1137 POST /acme/recover-reg HTTP/1.1 1138 Host: example.com 1140 { 1141 "resource": "recover-reg", 1142 "method": "contact", 1143 "base": "https://example.com/acme/reg/asdf", 1144 "contact": [ 1145 "mailto:forgetful@example.net" 1146 ] 1147 } 1148 /* Signed as JWS, with new account key */ 1150 If the server agrees to attempt contact-based recovery, then it 1151 creates a new registration resource containing a stub registration 1152 object. The stub registration has the client's new account key and 1153 contacts, but no authorizations or certificates associated. The 1154 server returns the stub contact in a 201 (Created) response, along 1155 with a Location header field indicating the URI for the new 1156 registration resource (which will be the registration URI if the 1157 recovery succeeds). 1159 HTTP/1.1 201 Created 1160 Content-Type: application/json 1161 Location: https://example.com/acme/reg/qwer 1163 { 1164 "key": { /* new account key from JWS header */ }, 1166 "contact": [ 1167 "mailto:forgetful@example.net" 1168 ] 1169 } 1171 After recovery has been initiated, the server follows its chosen 1172 recovery process, out-of-band to ACME. While the recovery process is 1173 ongoing, the client may poll the registration resource's URI for 1174 status, by sending a POST request with a trivial body 1175 ({"resource":"reg"}). If the recovery process is still pending, the 1176 server sends a 202 (Accepted) status code, and a Retry-After header 1177 field. If the recovery process has failed, the server sends an error 1178 code (e.g., 404), and SHOULD delete the stub registration resource. 1180 If the recovery process has succeeded, then the server will send a 1181 200 (OK) response, containing the full registration object, with any 1182 necessary information copied from the old registration). The client 1183 may now use this in the same way as if he had gotten it from a new- 1184 registration transaction. 1186 6.5. Identifier Authorization 1188 The identifier authorization process establishes the authorization of 1189 an account to manage certificates for a given identifier. This 1190 process must assure the server of two things: First, that the client 1191 controls the private key of the account key pair, and second, that 1192 the client holds the identifier in question. This process may be 1193 repeated to associate multiple identifiers to a key pair (e.g., to 1194 request certificates with multiple identifiers), or to associate 1195 multiple accounts with an identifier (e.g., to allow multiple 1196 entities to manage certificates). 1198 As illustrated by the figure in the overview section above, the 1199 authorization process proceeds in two phases. The client first 1200 requests a new authorization, and the server issues challenges, then 1201 the client responds to those challenges and the server validates the 1202 client's responses. 1204 To begin the key authorization process, the client sends a POST 1205 request to the server's new-authorization resource. The body of the 1206 POST request MUST contain a JWS object, whose payload is a partial 1207 authorization object. This JWS object MUST contain only the 1208 "identifier" field, so that the server knows what identifier is being 1209 authorized. The server MUST ignore any other fields present in the 1210 client's request object. 1212 The authorization object is implicitly tied to the account key used 1213 to sign the request. Once created, the authorization may only be 1214 updated by that account. 1216 POST /acme/new-authorization HTTP/1.1 1217 Host: example.com 1219 { 1220 "resource": "new-authz", 1221 "identifier": { 1222 "type": "dns", 1223 "value": "example.org" 1224 } 1225 } 1226 /* Signed as JWS */ 1228 Before processing the authorization further, the server SHOULD 1229 determine whether it is willing to issue certificates for the 1230 identifier. For example, the server should check that the identifier 1231 is of a supported type. Servers might also check names against a 1232 blacklist of known high-value identifiers. If the server is 1233 unwilling to issue for the identifier, it SHOULD return a 403 1234 (Forbidden) error, with a problem document describing the reason for 1235 the rejection. 1237 If the server is willing to proceed, it builds a pending 1238 authorization object from the initial authorization object submitted 1239 by the client. 1241 o "identifier" the identifier submitted by the client. 1243 o "status": MUST be "pending" 1245 o "challenges" and "combinations": As selected by the server's 1246 policy for this identifier 1248 o The "expires" field MUST be absent. 1250 The server allocates a new URI for this authorization, and returns a 1251 201 (Created) response, with the authorization URI in a Location 1252 header field, and the JSON authorization object in the body. 1254 HTTP/1.1 201 Created 1255 Content-Type: application/json 1256 Location: https://example.com/authz/asdf 1257 Link: ;rel="next" 1259 { 1260 "status": "pending", 1262 "identifier": { 1263 "type": "dns", 1264 "value": "example.org" 1265 }, 1267 "challenges": [ 1268 { 1269 "type": "simpleHttp", 1270 "uri": "https://example.com/authz/asdf/0", 1271 "token": "IlirfxKKXAsHtmzK29Pj8A" 1272 }, 1273 { 1274 "type": "dns", 1275 "uri": "https://example.com/authz/asdf/1" 1276 "token": "DGyRejmCefe7v4NfDGDKfA" 1277 } 1278 }, 1280 "combinations": [ 1281 [0, 2], 1282 [1, 2] 1283 ] 1284 } 1286 The client needs to respond with information to complete the 1287 challenges. To do this, the client updates the authorization object 1288 received from the server by filling in any required information in 1289 the elements of the "challenges" dictionary. (This is also the stage 1290 where the client should perform any actions required by the 1291 challenge.) 1293 The client sends these updates back to the server in the form of a 1294 JSON object with the response fields required by the challenge type, 1295 carried in a POST request to the challenge URI (not authorization URI 1296 or the new-authorization URI). This allows the client to send 1297 information only for challenges it is responding to. 1299 For example, if the client were to respond to the "simpleHttp" 1300 challenge in the above authorization, it would send the following 1301 request: 1303 POST /acme/authz/asdf/0 HTTP/1.1 1304 Host: example.com 1306 { 1307 "resource": "challenge", 1308 "type": "simpleHttp", 1309 "tls": false 1310 } 1311 /* Signed as JWS */ 1313 The server updates the authorization document by updating its 1314 representation of the challenge with the response fields provided by 1315 the client. The server MUST ignore any fields in the response object 1316 that are not specified as response fields for this type of challenge. 1317 The server provides a 200 (OK) response with the updated challenge 1318 object as its body. 1320 Presumably, the client's responses provide the server with enough 1321 information to validate one or more challenges. The server is said 1322 to "finalize" the authorization when it has completed all the 1323 validations it is going to complete, and assigns the authorization a 1324 status of "valid" or "invalid", corresponding to whether it considers 1325 the account authorized for the identifier. If the final state is 1326 "valid", the server MUST add an "expires" field to the authorization. 1327 When finalizing an authorization, the server MAY remove the 1328 "combinations" field (if present) or remove any challenges still 1329 pending. The server SHOULD NOT remove challenges with status 1330 "invalid". 1332 Usually, the validation process will take some time, so the client 1333 will need to poll the authorization resource to see when it is 1334 finalized. For challenges where the client can tell when the server 1335 has validated the challenge (e.g., by seeing an HTTP or DNS request 1336 from the server), the client SHOULD NOT begin polling until it has 1337 seen the validation request from the server. 1339 To check on the status of an authorization, the client sends a GET 1340 request to the authorization URI, and the server responds with the 1341 current authorization object. In responding to poll requests while 1342 the validation is still in progress, the server MUST return a 202 1343 (Accepted) response with a Retry-After header field. 1345 GET /acme/authz/asdf HTTP/1.1 1346 Host: example.com 1348 HTTP/1.1 200 OK 1350 { 1351 "status": "valid", 1352 "expires": "2015-03-01", 1354 "identifier": { 1355 "type": "dns", 1356 "value": "example.org" 1357 }, 1359 "challenges": [ 1360 { 1361 "type": "simpleHttp" 1362 "status": "valid", 1363 "validated": "2014-12-01T12:05Z", 1364 "token": "IlirfxKKXAsHtmzK29Pj8A" 1365 } 1366 ] 1367 } 1369 6.6. Certificate Issuance 1371 The holder of an authorized key pair for an identifier may use ACME 1372 to request that a certificate be issued for that identifier. The 1373 client makes this request by sending a POST request to the server's 1374 new-certificate resource. The body of the POST is a JWS object whose 1375 JSON payload contains a Certificate Signing Request (CSR) [RFC2986]. 1376 The CSR encodes the parameters of the requested certificate; 1377 authority to issue is demonstrated by the JWS signature by an account 1378 key, from which the server can look up related authorizations. 1380 csr (required, string): A CSR encoding the parameters for the 1381 certificate being requested. The CSR is sent in the 1382 Base64-encoded version of the DER format. (Note: This field uses 1383 the same modified Base64-encoding rules used elsewhere in this 1384 document, so it is different from PEM.) 1386 POST /acme/new-cert HTTP/1.1 1387 Host: example.com 1388 Accept: application/pkix-cert 1390 { 1391 "resource": "new-cert", 1392 "csr": "5jNudRx6Ye4HzKEqT5...FS6aKdZeGsysoCo4H9P", 1393 } 1394 /* Signed as JWS */ 1396 The CSR encodes the client's requests with regard to the content of 1397 the certificate to be issued. The CSR MUST indicate the requested 1398 identifiers, either in the commonName portion of the requested 1399 subject name, or in an extensionRequest attribute [RFC2985] 1400 requesting a subjectAltName extension. 1402 The values provided in the CSR are only a request, and are not 1403 guaranteed. The server or CA may alter any fields in the certificate 1404 before issuance. For example, the CA may remove identifiers that are 1405 not authorized for the account key that signed the request. 1407 It is up to the server's local policy to decide which names are 1408 acceptable in a certificate, given the authorizations that the server 1409 associates with the client's account key. A server MAY consider a 1410 client authorized for a wildcard domain if it is authorized for the 1411 underlying domain name (without the "*" label). Servers SHOULD NOT 1412 extend authorization across identifier types. For example, if a 1413 client is authorized for "example.com", then the server should not 1414 allow the client to issue a certificate with an iPAddress 1415 subjectAltName, even if it contains an IP address to which 1416 example.com resolves. 1418 If the CA decides to issue a certificate, then the server creates a 1419 new certificate resource and returns a URI for it in the Location 1420 header field of a 201 (Created) response. 1422 HTTP/1.1 201 Created 1423 Location: https://example.com/acme/cert/asdf 1425 If the certificate is available at the time of the response, it is 1426 provided in the body of the response. If the CA has not yet issued 1427 the certificate, the body of this response will be empty. The client 1428 should then send a GET request to the certificate URI to poll for the 1429 certificate. As long as the certificate is unavailable, the server 1430 MUST provide a 202 (Accepted) response and include a Retry-After 1431 header to indicate when the server believes the certificate will be 1432 issued (as in the example above). 1434 GET /acme/cert/asdf HTTP/1.1 1435 Host: example.com 1436 Accept: application/pkix-cert 1438 HTTP/1.1 202 Accepted 1439 Retry-After: 120 1441 The default format of the certificate is DER (application/pkix-cert). 1442 The client may request other formats by including an Accept header in 1443 its request. 1445 The server provides metadata about the certificate in HTTP headers. 1446 In particular, the server MUST include a Link relation header field 1447 [RFC5988] with relation "up" to provide a certificate under which 1448 this certificate was issued, and one with relation "author" to 1449 indicate the registration under which this certicate was issued. The 1450 server MAY also include an Expires header as a hint to the client 1451 about when to renew the certificate. (Of course, the real expiration 1452 of the certificate is controlled by the notAfter time in the 1453 certificate itself.) 1455 GET /acme/cert/asdf HTTP/1.1 1456 Host: example.com 1457 Accept: application/pkix-cert 1459 HTTP/1.1 200 OK 1460 Content-Type: application/pkix-cert 1461 Link: ;rel="up";title="issuer" 1462 Link: ;rel="revoke" 1463 Link: ;rel="author" 1464 Location: https://example.com/acme/cert/asdf 1465 Content-Location: https://example.com/acme/cert-seq/12345 1467 [DER-encoded certificate] 1469 A certificate resource always represents the most recent certificate 1470 issued for the name/key binding expressed in the CSR. If the CA 1471 allows a certificate to be renewed, then it publishes renewed 1472 versions of the certificate through the same certificate URI. 1474 Clients retrieve renewed versions of the certificate using a GET 1475 query to the certificate URI, which the server should then return in 1476 a 200 (OK) response. The server SHOULD provide a stable URI for each 1477 specific certificate in the Content-Location header field, as shown 1478 above. Requests to stable certificate URIs MUST always result in the 1479 same certificate. 1481 To avoid unnecessary renewals, the CA may choose not to issue a 1482 renewed certificate until it receives such a request (if it even 1483 allows renewal at all). In such cases, if the CA requires some time 1484 to generate the new certificate, the CA MUST return a 202 (Accepted) 1485 response, with a Retry-After header field that indicates when the new 1486 certificate will be available. The CA MAY include the current (non- 1487 renewed) certificate as the body of the response. 1489 Likewise, in order to prevent unnecessary renewal due to queries by 1490 parties other than the account key holder, certificate URIs should be 1491 structured as capability URLs [W3C.WD-capability-urls-20140218]. 1493 From the client's perspective, there is no difference between a 1494 certificate URI that allows renewal and one that does not. If the 1495 client wishes to obtain a renewed certificate, and a GET request to 1496 the certificate URI does not yield one, then the client may initiate 1497 a new-certificate transaction to request one. 1499 6.7. Certificate Revocation 1501 To request that a certificate be revoked, the client sends a POST 1502 request to the ACME server's revoke-cert URI. The body of the POST 1503 is a JWS object whose JSON payload contains the certificate to be 1504 revoked: 1506 certificate (required, string): The certificate to be revoked, in 1507 the Base64-encoded version of the DER format. (Note: This field 1508 uses the same modified Base64-encoding rules used elsewhere in 1509 this document, so it is different from PEM.) 1511 POST /acme/revoke-cert HTTP/1.1 1512 Host: example.com 1514 { 1515 "resource": "revoke-cert", 1516 "certificate": "MIIEDTCCAvegAwIBAgIRAP8..." 1517 } 1518 /* Signed as JWS */ 1520 Revocation requests are different from other ACME request in that 1521 they can be signed either with an account key pair or the key pair in 1522 the certificate. Before revoking a certificate, the server MUST 1523 verify at least one of these conditions applies: 1525 o the public key of the key pair signing the request matches the 1526 public key in the certificate. 1528 o the key pair signing the request is an account key, and the 1529 corresponding account is authorized to act for all of the 1530 identifier(s) in the certificate. 1532 If the revocation succeeds, the server responds with status code 200 1533 (OK). If the revocation fails, the server returns an error. 1535 HTTP/1.1 200 OK 1536 Content-Length: 0 1538 --- or --- 1540 HTTP/1.1 403 Forbidden 1541 Content-Type: application/problem+json 1542 Content-Language: en 1544 { 1545 "type": "urn:acme:error:unauthorized" 1546 "detail": "No authorization provided for name example.net" 1547 "instance": "http://example.com/doc/unauthorized" 1548 } 1550 7. Identifier Validation Challenges 1552 There are few types of identifier in the world for which there is a 1553 standardized mechanism to prove possession of a given identifier. In 1554 all practical cases, CAs rely on a variety of means to test whether 1555 an entity applying for a certificate with a given identifier actually 1556 controls that identifier. 1558 Challenges provide the server with assurance that an account key 1559 holder is also the entity that controls an identifier. For each type 1560 of challenge, it must be the case that in order for an entity to 1561 successfully complete the challenge the entity must both: 1563 o Hold the private key of the account key pair used to respond to 1564 the challenge 1566 o Control the identifier in question 1568 Section 9 documents how the challenges defined in this document meet 1569 these requirements. New challenges will need to document how they 1570 do. 1572 To accommodate this reality, ACME includes an extensible challenge/ 1573 response framework for identifier validation. This section describes 1574 an initial set of Challenge types. Each challenge must describe: 1576 o Content of Challenge payloads (in Challenge messages) 1578 o Content of Response payloads (in authorizationRequest messages) 1580 o How the server uses the Challenge and Response to verify control 1581 of an identifier 1583 The general structure of Challenge and Response payloads is as 1584 follows: 1586 type (required, string): The type of Challenge or Response encoded 1587 in the object. 1589 uri (required, string): The URI to which a response can be posted. 1591 status (optional, string): : The status of this authorization. 1592 Possible values are: "unknown", "pending", "processing", "valid", 1593 "invalid" and "revoked". If this field is missing, then the default 1594 value is "pending". 1596 validated (optional, string): : The time at which this challenge was 1597 completed by the server, encoded in the format specified in RFC 3339 1598 [RFC3339]. 1600 error (optional, dictionary of string): : The error that occurred 1601 while the server was validating the challenge, if any. This field is 1602 structured as a problem document [I-D.ietf-appsawg-http-problem]. 1604 All additional fields are specified by the Challenge type. The 1605 server MUST ignore any values provided in the "uri", "status", 1606 "validated", and "error" fields of a Response payload. If the server 1607 sets a Challenge's "status" to "invalid", it SHOULD also include the 1608 "error" field to help the client diagnose why they failed the 1609 challenge. 1611 Different challenges allow the server to obtain proof of different 1612 aspects of control over an identifier. In some challenges, like 1613 Simple HTTP and DVSNI, the client directly proves its ability to do 1614 certain things related to the identifier. In the Proof of Possession 1615 challenge, the client proves historical control of the identifier, by 1616 reference to a prior authorization transaction or certificate. 1618 The choice of which Challenges to offer to a client under which 1619 circumstances is a matter of server policy. A CA may choose 1620 different sets of challenges depending on whether it has interacted 1621 with a domain before, and how. For example: 1623 o New domain with no known certificates: Domain Validation (DVSNI or 1624 Simple HTTP) 1626 o Domain for which known certs exist from other CAs: DV + Proof of 1627 Possession of previous CA-signed key 1629 o Domain with a cert from this CA, lost account key: DV + PoP of 1630 ACME-certified Subject key 1632 o Domain with a cert from this CA, all keys and recovery mechanisms 1633 lost: Out of band proof of authority for the domain 1635 The identifier validation challenges described in this section all 1636 relate to validation of domain names. If ACME is extended in the 1637 future to support other types of identifier, there will need to be 1638 new Challenge types, and they will need to specify which types of 1639 identifier they apply to. 1641 7.1. Simple HTTP 1643 With Simple HTTP validation, the client in an ACME transaction proves 1644 its control over a domain name by proving that it can provision 1645 resources on an HTTP server that responds for that domain name. The 1646 ACME server challenges the client to provision a file with a specific 1647 JWS as its contents. 1649 As a domain may resolve to multiple IPv4 and IPv6 addresses, the 1650 server will connect to at least one of the hosts found in A and AAAA 1651 records, at its discretion. The HTTP server may be made available 1652 over either HTTPS or unencrypted HTTP; the client tells the server in 1653 its response which to check. 1655 type (required, string): The string "simpleHttp" 1657 token (required, string): The value to be used in generation of 1658 validation JWS. This value MUST have at least 128 bits of 1659 entropy, in order to prevent an attacker from guessing it. It 1660 MUST NOT contain any characters outside the URL-safe Base64 1661 alphabet. 1663 { 1664 "type": "simpleHttp", 1665 "token": "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA" 1666 } 1668 A client responds to this challenge by signing a JWS object and 1669 provisioning it as a resource on the HTTP server for the domain in 1670 question. The payload of the JWS MUST be a JSON dictionary 1671 containing the fields "type", "token", and "tls" from the ACME 1672 challenge and response (see below), and no other fields. If the 1673 "tls" field is not included in the response, then validation object 1674 MUST have its "tls" field set to "true". The JWS MUST be signed with 1675 the client's account key pair. This JWS is NOT REQUIRED to have a 1676 "nonce" header parameter (as with the JWS objects that carry ACME 1677 request objects), but MUST otherwise meet the guidelines laid out in 1678 Section 3. 1680 { 1681 "type": "simpleHttp", 1682 "token": "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA", 1683 "tls": false 1684 } 1686 The path at which the resource is provisioned is comprised of the 1687 fixed prefix ".well-known/acme-challenge/", followed by the "token" 1688 value in the challenge. 1690 .well-known/acme-challenge/evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA 1692 The client's response to this challenge indicates whether it would 1693 prefer for the validation request to be sent over TLS: 1695 type (required, string): The string "simpleHttp" 1697 tls (optional, boolean, default true): If this attribute is present 1698 and set to "false", the server will perform its validation check 1699 over unencrypted HTTP (on port 80) rather than over HTTPS. 1700 Otherwise the check will be done over HTTPS, on port 443. 1702 { 1703 "type": "simpleHttp", 1704 "tls": false 1705 } 1706 /* Signed as JWS */ 1708 Given a Challenge/Response pair, the server verifies the client's 1709 control of the domain by verifying that the resource was provisioned 1710 as expected. 1712 1. Form a URI by populating the URI template [RFC6570] 1713 "{scheme}://{domain}/.well-known/acme-challenge/{token}", where: 1715 * the scheme field is set to "http" if the "tls" field in the 1716 response is present and set to false, and "https" otherwise; 1718 * the domain field is set to the domain name being verified; and 1719 * the token field is the token provided in the challenge. 1721 2. Verify that the resulting URI is well-formed. 1723 3. Dereference the URI using an HTTP or HTTPS GET request. If using 1724 HTTPS, the ACME server MUST ignore the certificate provided by 1725 the HTTPS server. 1727 4. Verify that the Content-Type header of the response is either 1728 absent, or has the value "application/jose+json". 1730 5. Verify that the body of the response is a valid JWS, signed with 1731 the client's account key. 1733 6. Verify that the payload of the JWS meets the following criteria: 1735 * it is a valid JSON dictionary; 1737 * it has exactly three fields; 1739 * its "type" field is set to "simpleHttp"; 1741 * its "token" field is equal to the "token" field in the 1742 challenge; 1744 * its "tls" field is equal to the "tls" field in the response, 1745 or "true" if the "tls" field was absent. 1747 Comparisons of the "token" field MUST be performed in terms of 1748 Unicode code points, taking into account the encodings of the stored 1749 nonce and the body of the request. 1751 If all of the above verifications succeed, then the validation is 1752 successful. If the request fails, or the body does not pass these 1753 checks, then it has failed. 1755 7.2. Domain Validation with Server Name Indication (DVSNI) 1757 The Domain Validation with Server Name Indication (DVSNI) validation 1758 method proves control over a domain name by requiring the client to 1759 configure a TLS server referenced by an A/AAAA record under the 1760 domain name to respond to specific connection attempts utilizing the 1761 Server Name Indication extension [RFC6066]. The server verifies the 1762 client's challenge by accessing the reconfigured server and verifying 1763 a particular challenge certificate is presented. 1765 type (required, string): The string "dvsni" 1766 token (required, string): The value to be used in generation of 1767 validation certificate. This value MUST have at least 128 bits of 1768 entropy, in order to prevent an attacker from guessing it. It 1769 MUST NOT contain any characters outside the URL-safe Base64 1770 alphabet. 1772 { 1773 "type": "dvsni", 1774 "token": "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA" 1775 } 1777 In response to the challenge, the client uses its account private key 1778 to sign a JWS over a JSON object describing the challenge. The 1779 validation object covered by the signature MUST have the following 1780 fields and no others: 1782 type (required, string): The string "dvsni" 1784 token (required, string): The token value from the server-provided 1785 challenge object 1787 { 1788 "type": "dvsni", 1789 "token": "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA" 1790 } 1792 The client serializes the validation object to UTF-8, then uses its 1793 account private key to sign a JWS with the serialized JSON object as 1794 its payload. This JWS is NOT REQUIRED to have the "nonce" header 1795 parameter. 1797 The client will compute Z, the SHA-256 of the "signature" value from 1798 the JWS. The hash is calculated over the base64-encoded signature 1799 string. Z is encoded in hexadecimal form. 1801 The client will generate a self-signed certificate with the 1802 subjectAlternativeName extension containing the dNSName 1803 "..acme.invalid". The client will then configure 1804 the TLS server at the domain such that when a handshake is initiated 1805 with the Server Name Indication extension set to 1806 "..acme.invalid", the generated test certificate 1807 is presented. 1809 The response to the DVSNI challenge provides the validation JWS to 1810 the server. 1812 type (required, string): The string "dvsni" 1813 validation (required, string): The JWS object computed with the 1814 validation object and the account key 1816 { 1817 "type": "dvsni", 1818 "validation": { 1819 "header": { "alg": "RS256" }, 1820 "payload": "qzu9...6bjn", 1821 "signature": "gfj9XqFv07e1wU66hSLYkiFqYakPSjAu8TsyXRg85nM" 1822 } 1823 } 1825 Given a Challenge/Response pair, the ACME server verifies the 1826 client's control of the domain by verifying that the TLS server was 1827 configured appropriately. 1829 1. Verify the validation JWS using the account key for which the 1830 challenge was issued. 1832 2. Decode the payload of the JWS as UTF-8 encoded JSON. 1834 3. Verify that there are exactly two fields in the decoded object, 1835 and that: 1837 * The "type" field is set to "dvsni" 1839 * The "token" field matches the "token" value in the challenge 1841 4. Open a TLS connection to the domain name being validated on port 1842 443, presenting the value "..acme.invalid" in 1843 the SNI field. 1845 5. Verify that the certificate contains a subjectAltName extension 1846 with the dNSName of "..acme.invalid". 1848 It is RECOMMENDED that the ACME server validation TLS connections 1849 from multiple vantage points to reduce the risk of DNS hijacking 1850 attacks. 1852 If all of the above verifications succeed, then the validation is 1853 successful. Otherwise, the validation fails. 1855 7.3. Proof of Possession of a Prior Key 1857 The Proof of Possession challenge verifies that a client possesses a 1858 private key corresponding to a server-specified public key, as 1859 demonstrated by its ability to sign with that key. This challenge is 1860 meant to be used when the server knows of a public key that is 1861 already associated with the identifier being claimed, and wishes for 1862 new authorizations to be authorized by the holder of the 1863 corresponding private key. For DNS identifiers, for example, this 1864 can help guard against domain hijacking. 1866 This method is useful if a server policy calls for issuing a 1867 certificate only to an entity that already possesses the subject 1868 private key of a particular prior related certificate (perhaps issued 1869 by a different CA). It may also help enable other kinds of server 1870 policy that are related to authenticating a client's identity using 1871 digital signatures. 1873 This challenge proceeds in much the same way as the proof of 1874 possession of the authorized key pair in the main ACME flow 1875 (challenge + authorizationRequest). The server provides a nonce and 1876 the client signs over the nonce. The main difference is that rather 1877 than signing with the private key of the key pair being authorized, 1878 the client signs with a private key specified by the server. The 1879 server can specify which key pair(s) are acceptable directly (by 1880 indicating a public key), or by asking for the key corresponding to a 1881 certificate. 1883 The server provides the following fields as part of the challenge: 1885 type (required, string): The string "proofOfPossession" 1887 certs (optional, array of string): An array of certificates, in 1888 Base64-encoded DER format, that contain acceptable public keys. 1890 { 1891 "type": "proofOfPossession", 1892 "certs": ["MIIF7z...bYVQLY"] 1893 } 1895 In response to this challenge, the client uses the private key 1896 corresponding to one of the acceptable public keys to sign a JWS 1897 object including data related to the challenge. The validation 1898 object covered by the signature has the following fields: 1900 type (required, string): The string "proofOfPossession" 1902 identifiers (required, identifier): A list of identifiers for which 1903 the holder of the prior key authorizes the new key 1905 accountKey (required, JWK): The client's account public key 1906 { 1907 "type": "proofOfPossession", 1908 "identifiers: [{"type": "dns", "value": "example.com"}], 1909 "accountKey": { "kty": "RSA", ... } 1910 } 1912 This JWS is NOT REQUIRED to have a "nonce" header parameter (as with 1913 the JWS objects that carry ACME request objects). This allows proof- 1914 of-possession response objects to be computed off-line. For example, 1915 as part of a domain transfer, the new domain owner might require the 1916 old domain owner to sign a proof-of-possession validation object, so 1917 that the new domain owner can present that in an ACME transaction 1918 later. 1920 The validation JWS MUST contain a "jwk" header parameter indicating 1921 the public key under which the server should verify the JWS. 1923 The client's response includes the server-provided nonce, together 1924 with a signature over that nonce by one of the private keys requested 1925 by the server. 1927 type (required, string): The string "proofOfPossession" 1929 authorization (required, JWS): The validation JWS 1931 { 1932 "type": "proofOfPossession", 1933 "authorization": { 1934 "header": { 1935 "alg": "RS256", 1936 "jwk": { 1937 "kty": "RSA", 1938 "e": "AQAB", 1939 "n": "AMswMT...3aVtjE" 1940 } 1941 }, 1942 "payload": "SfiR1...gSAl7A", 1943 "signature": "XcQLfL...cW5beg" 1944 } 1945 } 1947 To validate a proof-of-possession challenge, the server performs the 1948 following steps: 1950 1. Verify that the public key in the "jwk" header of the 1951 "authorization" JWS corresponds to one of the certificates in the 1952 "certs" field of the challenge 1954 2. Verify the "authorization" JWS using the key indicated in its 1955 "jwk" header 1957 3. Decode the payload of the JWS as UTF-8 encoded JSON 1959 4. Verify that there are exactly three fields in the decoded object, 1960 and that: 1962 * The "type" field is set to "proofOfPossession" 1964 * The "identifier" field contains the identifier for which 1965 authorization is being validated 1967 * The "accountKey" field matches the account key for which the 1968 challenge was issued 1970 If all of the above verifications succeed, then the validation is 1971 successful. Otherwise, the validation fails. 1973 7.4. DNS 1975 When the identifier being validated is a domain name, the client can 1976 prove control of that domain by provisioning resource records under 1977 it. The DNS challenge requires the client to provision a TXT record 1978 containing a designated value under a specific validation domain 1979 name. 1981 type (required, string): The string "dns" 1983 token (required, string): The value to be used in generation of 1984 validation record to be provisioned in DNS. This value MUST have 1985 at least 128 bits of entropy, in order to prevent an attacker from 1986 guessing it. It MUST NOT contain any characters outside the URL- 1987 safe Base64 alphabet. 1989 { 1990 "type": "dns", 1991 "token": "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA" 1992 } 1994 In response to this challenge, the client uses its account private 1995 key to sign a JWS over a JSON object describing the challenge. The 1996 validation object covered by the signature MUST have the following 1997 fields and no others: 1999 type (required, string): The string "dns" 2000 token (required, string): The token value from the server-provided 2001 challenge object 2003 { 2004 "type": "dns", 2005 "token": "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA" 2006 } 2008 The client serializes the validation object to UTF-8, then uses its 2009 account private key to sign a JWS with the serialized JSON object as 2010 its payload. This JWS is NOT REQUIRED to have the "nonce" header 2011 parameter. 2013 The record provisioned to the DNS is the "signature" value from the 2014 JWS, i.e., the base64-encoded signature value. The client constructs 2015 the validation domain name by appending the label "_acme-challenge" 2016 to the domain name being validated, then provisions a TXT record with 2017 the signature value under that name. For example, if the domain name 2018 being validated is "example.com", then the client would provision the 2019 following DNS record: 2021 _acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM" 2023 The response to a DNS challenge provides the validation JWS to the 2024 server. 2026 type (required, string): The string "dns" 2028 validation (required, JWS): The JWS object computed with the 2029 validation object and the account key 2031 { 2032 "type": "dns" 2033 "clientPublicKey": { "kty": "EC", ... }, 2034 "validation": { 2035 "header": { "alg": "HS256" }, 2036 "payload": "qzu9...6bjn", 2037 "signature": "gfj9XqFv07e1wU66hSLYkiFqYakPSjAu8TsyXRg85nM" 2038 } 2039 } 2041 To validate a DNS challenge, the server performs the following steps: 2043 1. Verify the validation JWS using the account key for which this 2044 challenge was issued 2046 2. Decode the payload of the JWS as UTF-8 encoded JSON 2047 3. Verify that there are exactly two fields in the decoded object, 2048 and that: 2050 * The "type" field is set to "dns" 2052 * The "token" field matches the "token" value in the challenge 2054 4. Query for TXT records under the validation domain name 2056 5. Verify that the contents of one of the TXT records match the 2057 "signature" value in the "validation" JWS 2059 If all of the above verifications succeed, then the validation is 2060 successful. If no DNS record is found, or DNS record and response 2061 payload do not pass these checks, then the validation fails. 2063 8. IANA Considerations 2065 TODO 2067 o Register .well-known path 2069 o Register Replay-Nonce HTTP header 2071 o Register "nonce" JWS header parameter 2073 o Register "urn:acme" namespace 2075 o Create identifier validation method registry 2077 o Registries of syntax tokens, e.g., message types / error types? 2079 9. Security Considerations 2081 ACME is a protocol for managing certificates that attest to 2082 identifier/key bindings. Thus the foremost security goal of ACME is 2083 to ensure the integrity of this process, i.e., to ensure that the 2084 bindings attested by certificates are correct, and that only 2085 authorized entities can manage certificates. ACME identifies clients 2086 by their account keys, so this overall goal breaks down into two more 2087 precise goals: 2089 1. Only an entity that controls a identifier can get an account key 2090 authorized for that identifier 2092 2. Once authorized, an account key's authorizations cannot be 2093 improperly transferred to another account key 2095 In this section, we discuss the threat model that underlies ACME and 2096 the ways that ACME achieves these security goals within that threat 2097 model. We also discuss the denial-of-service risks that ACME servers 2098 face, and a few other miscellaneous considerations. 2100 9.1. Threat model 2102 As a service on the Internet, ACME broadly exists within the Internet 2103 threat model [RFC3552]. In analyzing ACME, it is useful to think of 2104 an ACME server interacting with other Internet hosts along three 2105 "channels": 2107 o An ACME channel, over which the ACME HTTPS requests are exchanged 2109 o A validation channel, over which the ACME server performs 2110 additional requests to validate a client's control of an 2111 identifier 2113 o A contact channel, over which the ACME server sends messages to 2114 the registered contacts for ACME clients 2116 +------------+ 2117 | ACME | ACME Channel 2118 | Client |--------------------+ 2119 +------------+ | 2120 ^ V 2121 | Contact Channel +------------+ 2122 +--------------------| ACME | 2123 | Server | 2124 +------------+ 2125 +------------+ | 2126 | Validation |<-------------------+ 2127 | Server | Validation Channel 2128 +------------+ 2130 In practice, the risks to these channels are not entirely separate, 2131 but they are different in most cases. Each of the three channels, 2132 for example, uses a different communications pattern: the ACME 2133 channel will comprise inbound HTTPS connections to the ACME server, 2134 the validation channel outbound HTTP or DNS requests, and the contact 2135 channel will use channels such as email and PSTN. 2137 Broadly speaking, ACME aims to be secure against active and passive 2138 attackers on any individual channel. Some vulnerabilities arise 2139 (noted below), when an attacker can exploit both the ACME channel and 2140 one of the others. 2142 On the ACME channel, in addition to network-layer attackers, we also 2143 need to account for application-layer man in the middle attacks, and 2144 for abusive use of the protocol itself. Protection against 2145 application-layer MitM addresses potential attackers such as Content 2146 Distribution Networks (CDNs) and middleboxes with a TLS MitM 2147 function. Preventing abusive use of ACME means ensuring that an 2148 attacker with access to the validation or contact channels can't 2149 obtain illegitimate authorization by acting as an ACME client 2150 (legitimately, in terms of the protocol). 2152 9.2. Integrity of Authorizations 2154 ACME allows anyone to request challenges for an identifier by 2155 registering an account key and sending a new-authorization request 2156 under that account key. The integrity of the authorization process 2157 thus depends on the identifier validation challenges to ensure that 2158 the challenge can only be completed by someone who both (1) holds the 2159 private key of the account key pair, and (2) controls the identifier 2160 in question. 2162 Validation responses need to be bound to an account key pair in order 2163 to avoid situations where an ACME MitM can switch out a legitimate 2164 domain holder's account key for one of his choosing, e.g.: 2166 o Legitimate domain holder registers account key pair A 2168 o MitM registers account key pair B 2170 o Legitimate domain holder sends a new-authorization request signed 2171 under account key A 2173 o MitM suppresses the legitimate request, but sends the same request 2174 signed under account key B 2176 o ACME server issues challenges and MitM forwards them to the 2177 legitimate domain holder 2179 o Legitimate domain holder provisions the validation response 2181 o ACME server performs validation query and sees the response 2182 provisioned by the legitimate domain holder 2184 o Because the challenges were issued in response to a message signed 2185 account key B, the ACME server grants authorization to account key 2186 B (the MitM) instead of account key A (the legitimate domain 2187 holder) 2189 All of the challenges above that require an out-of-band query by the 2190 server have a binding to the account private key, such that the only 2191 the account private key holder can successfully respond to the 2192 validation query: 2194 o Simple HTTP: The value provided in the validation request is 2195 signed by the account private key. 2197 o DVSNI: The validation TLS request uses the account key pair as the 2198 server's key pair. 2200 o DNS: The MAC covers the account key, and the MAC key is derived 2201 from an ECDH public key signed with the account private key. 2203 o Proof of possession of a prior key: The signature by the prior key 2204 covers the account public key. 2206 The association of challenges to identifiers is typically done by 2207 requiring the client to perform some action that only someone who 2208 effectively controls the identifier can perform. For the challenges 2209 in this document, the actions are: 2211 o Simple HTTP: Provision files under .well-known on a web server for 2212 the domain 2214 o DVSNI: Configure a TLS server for the domain 2216 o DNS: Provision DNS resource records for the domain 2218 o Proof of possession of a prior key: Sign using the private key 2219 specified by the server 2221 There are several ways that these assumptions can be violated, both 2222 by misconfiguration and by attack. For example, on a web server that 2223 allows non-administrative users to write to .well-known, any user can 2224 claim to own the server's hostname by responding to a Simple HTTP 2225 challenge, and likewise for TLS configuration and DVSNI. 2227 The use of hosting providers is a particular risk for ACME 2228 validation. If the owner of the domain has outsourced operation of 2229 DNS or web services to a hosting provider, there is nothing that can 2230 be done against tampering by the hosting provider. As far as the 2231 outside world is concerned, the zone or web site provided by the 2232 hosting provider is the real thing. 2234 More limited forms of delegation can also lead to an unintended party 2235 gaining the ability to successfully complete a validation 2236 transaction. For example, suppose an ACME server follows HTTP 2237 redirects in Simple HTTP validation and a web site operator 2238 provisions a catch-all redirect rule that redirects requests for 2239 unknown resources to different domain. Then the target of the 2240 redirect could use that to get a certificate through Simple HTTP 2241 validation, since the validation path will not be known to the 2242 primary server. 2244 The DNS is a common point of vulnerability for all of these 2245 challenges. An entity that can provision false DNS records for a 2246 domain can attack the DNS challenge directly, and can provision false 2247 A/AAAA records to direct the ACME server to send its DVSNI or Simple 2248 HTTP validation query to a server of the attacker's choosing. There 2249 are a few different mitigations that ACME servers can apply: 2251 o Checking the DNSSEC status of DNS records used in ACME validation 2252 (for zones that are DNSSEC-enabled) 2254 o Querying the DNS from multiple vantage points to address local 2255 attackers 2257 o Applying mitigations against DNS off-path attackers, e.g., adding 2258 entropy to requests [I-D.vixie-dnsext-dns0x20] or only using TCP 2260 Given these considerations, the ACME validation process makes it 2261 impossible for any attacker on the ACME channel, or a passive 2262 attacker on the validation channel to hijack the authorization 2263 process to authorize a key of the attacker's choice. 2265 An attacker that can only see the ACME channel would need to convince 2266 the validation server to provide a response that would authorize the 2267 attacker's account key, but this is prevented by binding the 2268 validation response to the account key used to request challenges. A 2269 passive attacker on the validation channel can observe the correct 2270 validation response and even replay it, but that response can only be 2271 used with the account key for which it was generated. 2273 An active attacker on the validation channel can subvert the ACME 2274 process, by performing normal ACME transactions and providing a 2275 validation response for his own account key. The risks due to 2276 hosting providers noted above are a particular case. For identifiers 2277 where the server already has some credential associated with the 2278 domain this attack can be prevented by requiring the client to 2279 complete a proof-of-possession challenge. 2281 9.3. Preventing Authorization Hijacking 2283 The account recovery processes described in Section 6.4 allow 2284 authorization to be transferred from one account key to another, in 2285 case the former account key pair's private key is lost. ACME needs 2286 to prevent these processes from being exploited by an attacker to 2287 hijack the authorizations attached to one key and assign them to a 2288 key of the attacker's choosing. 2290 Recovery takes place in two steps: 1. Provisioning recovery 2291 information (contact or recovery key) 2. Using recovery information 2292 to recover an account 2294 The provisioning process needs to ensure that only the account key 2295 holder ends up with information that is useful for recovery. The 2296 recovery process needs to assure that only the (now former) account 2297 key holder can successfully execute recovery, i.e., that this entity 2298 is the only one that can choose the new account key that receives the 2299 capabilities held by the account being recovered. 2301 MAC-based recovery can be performed if the attacker knows the account 2302 key and registration URI for the account being recovered. Both of 2303 these are difficult to obtain for a network attacker, because ACME 2304 uses HTTPS, though if the recovery key and registration URI are 2305 sufficiently predictable, the attacker might be able to guess them. 2306 An ACME MitM can see the registration URI, but still has to guess the 2307 recovery key, since neither the ECDH in the provisioning phase nor 2308 HMAC in the recovery phase will reveal it to him. 2310 ACME clients can thus mitigate problems with MAC-based recovery by 2311 using long recovery keys. ACME servers should enforce a minimum 2312 recovery key length, and impose rate limits on recovery to limit an 2313 attacker's ability to test different guesses about the recovery key. 2315 Contact-based recovery uses both the ACME channel and the contact 2316 channel. The provisioning process is only visible to an ACME MitM, 2317 and even then, the MitM can only observe the contact information 2318 provided. If the ACME attacker does not also have access to the 2319 contact channel, there is no risk. 2321 The security of the contact-based recovery process is entirely 2322 dependent on the security of the contact channel. The details of 2323 this will depend on the specific out-of-band technique used by the 2324 server. For example: 2326 o If the server requires a user to click a link in a message sent to 2327 a contact address, then the contact channel will need to ensure 2328 that the message is only available to the legitimate owner of the 2329 contact address. Otherwise, a passive attacker could see the link 2330 and click it first, or an active attacker could redirect the 2331 message. 2333 o If the server requires a user to respond to a message sent to a 2334 contact address containing a secret value, then the contact 2335 channel will need to ensure that an attacker cannot observe the 2336 secret value and spoof a message from the contact address. 2338 In practice, many contact channels that can be used to reach many 2339 clients do not provide strong assurances of the types noted above. 2340 In designing and deploying contact-based recovery schemes, ACME 2341 servers operators will need to find an appropriate balance between 2342 using contact channels that can reach many clients and using contact- 2343 based recovery schemes that achieve an appropriate level of risk 2344 using those contact channels. 2346 9.4. Denial-of-Service Considerations 2348 As a protocol run over HTTPS, standard considerations for TCP-based 2349 and HTTP-based DoS mitigation also apply to ACME. 2351 At the application layer, ACME requires the server to perform a few 2352 potentially expensive operations. Identifier validation transactions 2353 require the ACME server to make outbound connections to potentially 2354 attacker-controlled servers, and certificate issuance can require 2355 interactions with cryptographic hardware. 2357 In addition, an attacker can also cause the ACME server to send 2358 validation requests to a domain of its choosing by submitting 2359 authorization requests for the victim domain. 2361 All of these attacks can be mitigated by the application of 2362 appropriate rate limits. Issues closer to the front end, like POST 2363 body validation, can be addressed using HTTP request limiting. For 2364 validation and certificate requests, there are other identifiers on 2365 which rate limits can be keyed. For example, the server might limit 2366 the rate at which any individual account key can issue certificates, 2367 or the rate at which validation can be requested within a given 2368 subtree of the DNS. 2370 9.5. CA Policy Considerations 2372 The controls on issuance enabled by ACME are focused on validating 2373 that a certificate applicant controls the identifier he claims. 2374 Before issuing a certificate, however, there are many other checks 2375 that a CA might need to perform, for example: 2377 o Has the client agreed to a subscriber agreement? 2379 o Is the claimed identifier syntactically valid? 2381 o For domain names: 2383 * If the leftmost label is a '*', then have the appropriate 2384 checks been applied? 2386 * Is the name on the Public Suffix List? 2388 * Is the name a high-value name? 2390 * Is the name a known phishing domain? 2392 o Is the key in the CSR sufficiently strong? 2394 o Is the CSR signed with an acceptable algorithm? 2396 CAs that use ACME to automate issuance will need to ensure that their 2397 servers perform all necessary checks before issuing. 2399 10. Acknowledgements 2401 In addition to the editors listed on the front page, this document 2402 has benefited from contributions from a broad set of contributors, 2403 all the way back to its inception. 2405 o Peter Eckersley, EFF 2407 o Eric Rescorla, Mozilla 2409 o Seth Schoen, EFF 2411 o Alex Halderman, University of Michigan 2413 o Martin Thomson, Mozilla 2415 o Jakub Warmuz, University of Oxford 2417 This document draws on many concepts established by Eric Rescorla's 2418 "Automated Certificate Issuance Protocol" draft. Martin Thomson 2419 provided helpful guidance in the use of HTTP. 2421 11. References 2423 11.1. Normative References 2425 [I-D.ietf-appsawg-http-problem] 2426 mnot, m. and E. Wilde, "Problem Details for HTTP APIs", 2427 draft-ietf-appsawg-http-problem-01 (work in progress), 2428 September 2015. 2430 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2431 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 2432 RFC2119, March 1997, 2433 . 2435 [RFC2314] Kaliski, B., "PKCS #10: Certification Request Syntax 2436 Version 1.5", RFC 2314, DOI 10.17487/RFC2314, March 1998, 2437 . 2439 [RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object 2440 Classes and Attribute Types Version 2.0", RFC 2985, DOI 2441 10.17487/RFC2985, November 2000, 2442 . 2444 [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification 2445 Request Syntax Specification Version 1.7", RFC 2986, DOI 2446 10.17487/RFC2986, November 2000, 2447 . 2449 [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: 2450 Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, 2451 . 2453 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 2454 Resource Identifier (URI): Generic Syntax", STD 66, RFC 2455 3986, DOI 10.17487/RFC3986, January 2005, 2456 . 2458 [RFC4514] Zeilenga, K., Ed., "Lightweight Directory Access Protocol 2459 (LDAP): String Representation of Distinguished Names", RFC 2460 4514, DOI 10.17487/RFC4514, June 2006, 2461 . 2463 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 2464 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 2465 . 2467 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 2468 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 2469 DOI 10.17487/RFC5226, May 2008, 2470 . 2472 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 2473 (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/ 2474 RFC5246, August 2008, 2475 . 2477 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 2478 Housley, R., and W. Polk, "Internet X.509 Public Key 2479 Infrastructure Certificate and Certificate Revocation List 2480 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 2481 . 2483 [RFC5753] Turner, S. and D. Brown, "Use of Elliptic Curve 2484 Cryptography (ECC) Algorithms in Cryptographic Message 2485 Syntax (CMS)", RFC 5753, DOI 10.17487/RFC5753, January 2486 2010, . 2488 [RFC5988] Nottingham, M., "Web Linking", RFC 5988, DOI 10.17487/ 2489 RFC5988, October 2010, 2490 . 2492 [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) 2493 Extensions: Extension Definitions", RFC 6066, DOI 2494 10.17487/RFC6066, January 2011, 2495 . 2497 [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., 2498 and D. Orchard, "URI Template", RFC 6570, DOI 10.17487/ 2499 RFC6570, March 2012, 2500 . 2502 [RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 2503 Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March 2504 2014, . 2506 [RFC7469] Evans, C., Palmer, C., and R. Sleevi, "Public Key Pinning 2507 Extension for HTTP", RFC 7469, DOI 10.17487/RFC7469, April 2508 2015, . 2510 [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web 2511 Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 2512 2015, . 2514 [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 10.17487/ 2515 RFC7517, May 2015, 2516 . 2518 [RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, DOI 2519 10.17487/RFC7518, May 2015, 2520 . 2522 [SEC1] Standards for Efficient Cryptography Group, "SEC 1: 2523 Elliptic Curve Cryptography", May 2009, 2524 . 2526 11.2. Informative References 2528 [I-D.vixie-dnsext-dns0x20] 2529 Vixie, P. and D. Dagon, "Use of Bit 0x20 in DNS Labels to 2530 Improve Transaction Identity", draft-vixie-dnsext- 2531 dns0x20-00 (work in progress), March 2008. 2533 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, DOI 10.17487/ 2534 RFC2818, May 2000, 2535 . 2537 [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC 2538 Text on Security Considerations", BCP 72, RFC 3552, DOI 2539 10.17487/RFC3552, July 2003, 2540 . 2542 [W3C.CR-cors-20130129] 2543 Kesteren, A., "Cross-Origin Resource Sharing", World Wide 2544 Web Consortium CR CR-cors-20130129, January 2013, 2545 . 2547 [W3C.WD-capability-urls-20140218] 2548 Tennison, J., "Good Practices for Capability URLs", World 2549 Wide Web Consortium WD WD-capability-urls-20140218, 2550 February 2014, 2551 . 2553 Authors' Addresses 2555 Richard Barnes 2556 Mozilla 2558 Email: rlb@ipv.sx 2559 Jacob Hoffman-Andrews 2560 EFF 2562 Email: jsha@eff.org 2564 James Kasten 2565 University of Michigan 2567 Email: jdkasten@umich.edu