upvote

points

by mmh00007 hours ago |
comments
upvoteby Ajedi324 hours ago|
next
[-]
> they could have just as easily used a randomly generated key

Isn't that pretty much what an accounturi is in the context of ACME? Who goes around manually creating Let's Encrypt accounts and re-using them on every server they manage?

reply
upvoteby ragall7 hours ago|
prev|
next
[-]
Those who choose to use DNS-PERSIST-01 should fully commit to automation and create one LetsEncrypt account per FQDN (or at least per loadbalancer), using a UUID as username.
reply
upvoteby mcpherrinm6 hours ago|
parent|
[-]
There is no username in ACME besides the account URI, so the UUID you’re suggesting isn’t needed. The account uri themselves just have a number (db primary key).

If you’re worried about correlating between domains, then yes just make multiple accounts.

There is an email field in ACME account registration but we don’t persist that since we dropped sending expiry emails.

reply
upvoteby 9dev4 hours ago|
parent|
next
[-]
It’s still a valid point IMHO - why not just use the public key directly? It seems like the account URI just adds problems instead of resolving any.
reply
upvoteby mcpherrinm2 hours ago|
parent|
[-]
It has these primary advantages:

1. It matches what the CAA accounturi field has

2. Its consistent across an account, making it easier to set up new domains without needing to make any API calls

3. It doesn’t pin a users key, so they can rotate it without needing to update DNS records - which this method assumes is nontrivial, otherwise you’d use the classic DNS validation method

reply
upvoteby glzone14 hours ago|
parent|
prev|
[-]
Interesting.

I didn't realize the email field wasn't persisted. I assumed it could be used in some type of account recovery scenario.

reply
upvoteby bflesch2 hours ago|
prev|
[-]
> But I don't understand why they chose to include the account as a plain-text string in the DNS record.

Simple: it's for tracking. Someone paid for that.

reply