Hi All,
I need to know weather the following TOKEN challenge mechanism is available or this could be implemented using an ACME client. Im using a Java ACME client.
-
The application is initiated by the ACME client with an HTTP POST as shown in the following example:
POST /acme/new-app HTTP/1.1
Host: sti-ca.com
Content-Type: application/jose+json{
“protected”: base64url({
“alg”: “ES256”,
“kid”: “https://sti-ca.com/acme/reg/asdf",
“nonce”: “5XJ1L3lEkMG7tR6pA00clA”,
“url”: “https://sti-ca.com/acme/new-app"
})
“payload”: base64url({
“csr”: “5jNudRx6Ye4HzKEqT5…FS6aKdZeGsysoCo4H9P”,
“notBefore”: “2016-01-01T00:00:00Z”,
“notAfter”: “2016-01-08T00:00:00Z”
}),
“signature”: “H6ZXtGjTZyUnPeKn…wEA4TklBdh3e454g”
} -
The STI-CA ACME server should look into the CSR request as standard process. However, for the SHAKEN certificate management specifically, different from a typical domain validation, it should extract the “title” attribute of the Distinguished Name (DN). This will provide the SPID value being claimed by the Service Provider and can be used to construct the SHAKEN specific identifier that will be used in the challenge.
The SHAKEN specific identifier should have a type of “spid” and should include a key of “value” which has a value of the SPID identifier in the title attribute. An example of this identifier is
"identifier": {
"type": "spid",
"value": "505-555-1234-0111"
}
This identifier will be used in the authorization challenge that will be shown incorporated into the authorization object below.
- Upon successful processing of the application request, a challenge authorization response from the ACME server is sent back, as shown in the following example:
HTTP/1.1 201 Created
Replay-Nonce: MYAuvOpaoIiywTezizk5vw
Location: https://sti-ca.com/acme/app/asdf
{
“status”: “pending”,
“expires”: “2015-03-01T14:09:00Z”,
"csr": "jcRf4uXra7FGYW5ZMewvV...rhlnznwy8YbpMGqwidEXfE",
"notBefore": "2016-01-01T00:00:00Z",
"notAfter": "2016-01-08T00:00:00Z",
"requirements": [
{
"type": "authorization",
"status": "valid",
"url": “https://sti-ca.com/acme/authz/1234"
}
]
}
Sorry If this is clumsy and thanks in advance.