Certbot: Stop using a cryptographic hash for account IDs

Created on 23 Jan 2020  路  3Comments  路  Source: certbot/certbot

In https://github.com/certbot/certbot/pull/7708 we fixed the problem with using MD5 on RHEL FIPS systems. This hopefully resolved all the issues of people being unable to use Certbot because of its use of MD5.

We could still simplify that code and potentially avoid similar problems in the future by no longer using a cryptographic hash for the account ID. I'd recommend that anyone who works on this issue reads https://github.com/certbot/certbot/issues/1948, but jsha suggested just using a randomly generated value at https://github.com/certbot/certbot/issues/1948#issuecomment-310512934.

As of writing this, we still shouldn't make this change yet because of the potential of breaking a lot of people if they have to downgrade to the version of Certbot currently packaged in Linux distros such as Debian and Ubuntu. I described this problem more at https://github.com/certbot/certbot/issues/1948#issuecomment-574922873.

code health

All 3 comments

May I suggest using UUID again? Specifically uuid.uuid4().

UUIDs are designed to be unique and I like the idea of using some kind of standardised unique identifier above just some random bytes.

@osirisinferi what you are saying makes zero sense whatsoever !!!

You say "Specifically uuid.uuid4()".

Have you actually looked at a definition of UUID version 4 ?

To quote RFC4122 :

The version 4 UUID is meant for generating UUIDs from truly-random or
pseudo-random numbers.

The algorithm is as follows:

o Set the two most significant bits (bits 6 and 7) of the
clock_seq_hi_and_reserved to zero and one, respectively.

o Set the four most significant bits (bits 12 through 15) of the
time_hi_and_version field to the 4-bit version number from
Section 4.1.3.

o Set all the other bits to randomly (or pseudo-randomly) chosen
values.

Therefore, asking people to use UUIDv4 instead of "just some random bytes" is a bit nonsensical, as per the definition, the majority of UUIDv4 is "just some random bytes" !!!!!

Also many develpers don't even follow official RFC4122 v4 UUID and just make 100% random UUIDs without the predictable bits.

Therefore, asking people to use UUIDv4 instead of "just some random bytes" is a bit nonsensical, as per the definition, the majority of UUIDv4 is "just some random bytes" !!!!!

Like I said, the reason for using UUID would be to adhere to some kind of standardised method.

Also many develpers don't even follow official RFC4122 v4 UUID and just make 100% random UUIDs without the predictable bits.

I don't think the developers of certbot should make choices solely based on the fact what "many developers" do, especially without any credible sources.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

realtebo picture realtebo  路  3Comments

LouWii picture LouWii  路  4Comments

DirkWolthuis picture DirkWolthuis  路  3Comments

marceliwac picture marceliwac  路  3Comments

KeiroD picture KeiroD  路  4Comments