TOKEN Challenge

Hi All,

I need to know weather the following TOKEN challenge mechanism is available or this could be implemented using an ACME client. Im using a Java ACME client.

  1. The application is initiated by the ACME client with an HTTP POST as shown in the following example:

    POST /acme/new-app HTTP/1.1
    Content-Type: application/jose+json

    “protected”: base64url({
    “alg”: “ES256”,
    “kid”: “",
    “nonce”: “5XJ1L3lEkMG7tR6pA00clA”,
    “url”: “"
    “payload”: base64url({
    “csr”: “5jNudRx6Ye4HzKEqT5…FS6aKdZeGsysoCo4H9P”,
    “notBefore”: “2016-01-01T00:00:00Z”,
    “notAfter”: “2016-01-08T00:00:00Z”
    “signature”: “H6ZXtGjTZyUnPeKn…wEA4TklBdh3e454g”

  2. The STI-CA ACME server should look into the CSR request as standard process. However, for the SHAKEN certificate management specifically, different from a typical domain validation, it should extract the “title” attribute of the Distinguished Name (DN). This will provide the SPID value being claimed by the Service Provider and can be used to construct the SHAKEN specific identifier that will be used in the challenge.

The SHAKEN specific identifier should have a type of “spid” and should include a key of “value” which has a value of the SPID identifier in the title attribute. An example of this identifier is

 "identifier": {
   "type": "spid",
   "value": "505-555-1234-0111"

This identifier will be used in the authorization challenge that will be shown incorporated into the authorization object below.

  1. Upon successful processing of the application request, a challenge authorization response from the ACME server is sent back, as shown in the following example:

HTTP/1.1 201 Created
Replay-Nonce: MYAuvOpaoIiywTezizk5vw

“status”: “pending”,
“expires”: “2015-03-01T14:09:00Z”,

 "csr": "jcRf4uXra7FGYW5ZMewvV...rhlnznwy8YbpMGqwidEXfE",
 "notBefore": "2016-01-01T00:00:00Z",
 "notAfter": "2016-01-08T00:00:00Z",

 "requirements": [
     "type": "authorization",
     "status": "valid",
     "url": “"


Sorry If this is clumsy and thanks in advance.

I believe some members of the IETF ACME working group are working on this. I’m not sure what the status is on that, you might find more on the mailing list. Not aware of any existing implementations.

Let’s Encrypt currently does not support any non-DNS identifiers, and I don’t think there are any plans to change this at the moment. (Not sure if that was part of your question.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.