“Registrations/IP address limits the number of registrations you can make in a given time period;” - what exactly is meant by that sentence? Is that a limit of new keys that can be registered from particular IP in a given time period or is that a limit on a number of /new-reg requests from that IP regardless of whether the account is already registered or not?
If my reading of the
boulder source code is correct, account key roll-over is not yet implement, so as of now, the number of account keys should be the same as the number of registrations - you can’t change your key, and you can only have one key per account.
Not sure how it’s going to be when roll-over is implemented, but my best guess would be that it would still only apply to
new-reg, as the thing that’s being rate limited here is the number of registration rows in the database (which wouldn’t increase when keys are being changed).
(I’m assuming you’re referring to account keys. As for certificates, there are no IP-based rate limits.)
Indeed, I was referring to the account keys. Basically it’s still slightly confusing - the way it’s worded, we are talking about “registrations”. However, ACME draft specifically separates ‘new-reg’ (New registration) and ‘reg’ (Registration) resources.
Additionally, you cannot directly access the ‘reg’ resource without knowing your ID (even though it is possible from the ‘reg’ response to figure out whether the key is registered or not without knowing which ID it’s associated with). So the usual workflow is currently to request ‘new-reg’ and on getting 409 go to the returned ‘reg’ URL which has your ID in it. That means for both already registered account keys and new account keys you have to go through ‘new-reg’ first (unless you write down your ID somewhere to go straight to ‘reg’ next time of course).
So it would be nice to know what type of ‘registrations’ was meant there and how that limit is planned to be implemented. If it’s about new keys being actually registered, that does seem like a fair amount, but if it’s about the number of requests sent to ‘new-reg’, ‘reg’ or both, then it might be a problem.
It’s the number of new accounts actually being registered. Because the 409 response with a link to the registration is intended to help look up an existing registration, I think it’s highly unlikely we would apply the registrations per IP rate limit to that type of request.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.