path: root/Changelog
diff options
authorGuilhem Moulin <guilhem@fripost.org>2021-02-21 14:27:50 +0100
committerGuilhem Moulin <guilhem@fripost.org>2021-02-21 19:41:40 +0100
commitba6addf54cef0b1536dc87c42a41b4dc207ac884 (patch)
treeab057ee5f4675709e30a88a31aa57ab525c73cdb /Changelog
parent16f7d75ac8e46a7905779931c871ac85c7e1aa04 (diff)
accountd: Pass JWA and JWK thumbprint via extended greeting data.
Passing the JWA to the ACME client is required if we want to support account keys other than RSA. As of 0.7 both lacme-accountd(1) and lacme(8) hardcode “RS256” (SHA256withRSA per RFC 7518 sec. A.1). Passing the JWK thumbprint is handy as it gives more flexibility if RFC 8555 sec. 8.1 were to be updated with another digest algorithm (it's currently hardcoded to SHA-256). A single lacme-account(1) instance might be used to sign requests from many clients, and it's easier to upgrade a single ‘lacme-accountd’ than many ‘lacme’. Moreover, in some restricted environments lacme-accountd might hide the JWK from the client to prevent ‘newAccount’ requests (such as contact updates); passing its thumbprint is enough for ‘newOrder’ requests.
Diffstat (limited to 'Changelog')
1 files changed, 2 insertions, 0 deletions
diff --git a/Changelog b/Changelog
index e6becda..ffd9536 100644
--- a/Changelog
+++ b/Changelog
@@ -69,6 +69,8 @@ lacme (0.7.1) upstream;
connection through ssh. The new flag is documented to allow safe
usage is authorized_keys(5) restrictions.
+ Remove dependency on List::Util (core module).
+ + accountd: Pass JWA and JWK thumbprint via extended greeting data.
+ This gives better forward flexibility.
- lacme: delay webserver socket shutdown to after the process has
- documentation: suggest to generate private key material with