divergentdave
commented
1 day ago Note that externalAccountBinding only comes into play at the time of the newAccount request. The ACME client must have acquired a nonce prior to sending this request. I think that the document should not attempt to add authentication to newNonce requests, in order to better fit into the existing ACME protocol. Checking federation membership can be deferred to challenge response time.
eAB might not be a good fit here, because that would require distributing MAC keys to ACME clients up front. That could be made to work by defining another API, but I don't think it would improve the protocol. Either we check federation membership only when handing out eAB MAC keys, and we effectively lose federation trust revocation, or we check federation membership both when handing out eAB MAC keys and during challenge verification, which duplicates effort, or we check federation membership only during challenge verification.
jcjones
peppelinux
https://peppelinux.github.io/draft-demarco-acme-openid-federation/draft-demarco-acme-openid-federation.html#section-6.2
One problem with this is HEAD is not a good verb for this request, since it's quite involved. Semantically, HEAD should be quick and easy for the server to respond to. POST-as-GET may fit better, and is allowable for us to service newNonce in that way.
But, it seems unusual to authenticate newNonce in this way.
Is the intent to prevent non-federation entities from accessing the ACME server? If so, we may be better off with some kind of federation -> ACME account binding. Perhaps with externalAccountBinding.
Thanks to @jcjones for pointing this out.