IETF Logo Mail Archive

Re: [Acme] Paul Wouters' Discuss on draft-ietf-acme-subdomains-06: (with DISCUSS and COMMENT)

"Owen Friel (ofriel)" <ofriel@cisco.com> Mon, 27 February 2023 16:40 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F15B5C14CE22; Mon, 27 Feb 2023 08:40:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.899
X-Spam-Level:
X-Spam-Status: No, score=-11.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="UKJ5q8iG"; dkim=pass (1024-bit key) header.d=cisco.com header.b="gy4VoRlc"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jp3drOVtF0Iu; Mon, 27 Feb 2023 08:40:15 -0800 (PST)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14318C14CF1F; Mon, 27 Feb 2023 08:40:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5790; q=dns/txt; s=iport; t=1677516015; x=1678725615; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ENfHNLLw09Pz3wfNRxY5kddRmsZ8fc3qTjSY9uYrf/4=; b=UKJ5q8iGf2aKWSrNE8HzKVfdKWxEfSRuPQDv2zAAqz/cp+wtnXIM6tuB MND5DMjbwRgKmjoUwkDRL0ewgKC03f/e0NDvwi4z6En7iaN034DqGdw+K gAHhe4ZpSzRFG16peN8wG4djo0vso3EK7tMfsMmFtwPiunDTvBv3PNE+h w=;
X-IPAS-Result: A0ADAACO3PxjmI0NJK1aGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBQIE7BQEBAQELAYFaUoEHAlk6RoRSg0wDhFBfiCIDi0KQWYEsFIERA1YPAQEBDQEBOwkEAQGFBQIWhRkCJTQJDgECBAEBAQEDAgMBAQEBAQEDAQEFAQEBAgEHBBQBAQEBAQEBAR4ZBQ4QJ4VoDYZVAQEBAQMSEREMAQEXEwoDAQsEAgEIEQQBAQMCERUCAgIfERUICAIEAQ0FCBqCXAGCbgMxAwEPoG8BgT8Cih96gTKBAYIIAQEGBAScTA2CRgmBFCwBhz6BWINmCYJ4gS8nG4FJRIEVQ4JnPoIgQgEBAoEXHhEaPYMZOYIuiEOGBIdfCoE0d4EjDoFCgQkCCQIRRyiBFAhoggJHAg9eNwNEHUADCzs6PzUUIAUEJAEzazAkBQMLFSpHBAg2BQYcNBECCA8SDwYmQw5CNzQTBlwBKQsOEQNPgUgEL0SBGwIEASgkmQUJNAEzMzIEUyACJAkwGQIaGR8BJhmSaBYBCYMSR5hlkyRvCoN5i2OPDQSGHxaDeoFVixCXd2KXWSCNMoNshHWROwIEAgQFAg4BAQaBYjqBW3AVO4IzAQEBMQlJGQ+OIAwNCRWCZ1SFFIJmh391AgE4AgcBCgEBAwmIdYJZAQE
IronPort-PHdr: A9a23:uSvvsxETH5aR4ap2mW1SoZ1GfiYY04WdBeZdwpYkircbdKOl8tyiO UHE/vxigRfPWpmT8PNLjefa8sWCEWwN6JqMqjYOJZpLURJWhcAfhQd1BsmDBAXyJ+LraCpvG sNEWRdl8ni3PFITFtz5YgjZo2a56ngZHRCsXTc=
IronPort-Data: A9a23:Ijmkha9doqqxKZtOCpdfDrUDY36TJUtcMsCJ2f8bNWPcYEJGY0x3m mcYWT+POK6CMzSkeYwnPd+//U5Uu5WDyYRjTgQ++H9EQiMRo6IpJzg2wmQcns+2BpeeJK6yx 5xGMrEsFOhtEjmE4E3F3oHJ9RGQ74nQLlbHILOCa3AZqTNMEn970ko5wbFh2eaEvPDga++zk YKqyyHgEAfNNw5cagr4PIra9XuDFNyr0N8plgRWicJj5TcypFFJZH4rHpxdGlOjKmVi8kFWc M6YpF2x1juxEx7AkbpJmJ6jGqEBaua60QRjFhO6VoD66iWuqBDe3Y4+JeUQYhl+0g+LoMxBk 9YOiq6wUV8ma/ikdOQ1C3G0Egl3OalAvbTAO3X64YqYzlbNdD3nxPAG4EMeZNJDvL0pRzgVs 6VEcVjhbTjb7w6y6LW1UOhhguwoLdLgO8UUvXQIITTxU6d/HciYHfWiCdlw/DAtjMZhLefna tcHWSNERgXpfUNJAwJCYH45tL742iagG9FCk3qZqKA85G/XwR0o+LfoOdvRPNeNQK19l02dq 0rH8nj3RBYAO7S3wDGA/zenhubOhzjTWY8OGvu/7PECqFGJz2IPTRwbSVX+qPK8hwulRthTL Ekd+yw1hak/6ELtScPyNzW5rWWLlh8RR9QWFPc1gCmVw7fQpRmeG3QJVCVpYd04uclwRDtC6 7OSt9rtAToqu7qPRDfNsLyVtji1fyMSKAfueBPoUyMA8sbvq98a1yjNccpTS632se/1AWn/l mXiQDcFu50fissC1qOe9F/Bgi6xqpWhcuLTzliONo5Cxl4kDLNJd7BE+nCAtq4Rdtbxok2p+ SlaxZTDsIjiGLnXzHTlfQkbIF2+Cx9p2hX1hVpiGfHNHBzypib7J+i8DNyCTXqF3+4NfTvvJ UTUow4UtNlYPWChaul8ZIfZ5yUWIUrIS46NuhP8N4Umjn1NmOmvp3kGiam4hDuFraTUuftjU ap3iO71ZZrgNYxpzSCtW8AW2qIxyyY1yAv7HM6kkEj8j+DCPyHKGd/p1WdiiMhktstoRy2Ir b5i2zeikH2zrcWnOHCMqN5PRbz0BSdnVPgaVPC7hsbaclY5RwnN+tfawKgqfMR+jr9Jm+LTl kxRqWcGoGcTcUbvcF3QAlg6MeuHdc8m8RoTY3d2VX72gCdLXGpaxPpFH3fBVeN5pLULID8dZ 6RtRvhs9dwTE22aq2lANMSsxGGgHTzy7T+z0+OeSGBXV/Zdq8bhobcIoiOHGPEyMxeK
IronPort-HdrOrdr: A9a23:qWlqRa9dqmWl04WQAQ1uk+Fsdb1zdoMgy1knxilNoENuHPBwxv rAoB1E73PJYW4qKQ0dcdDpAtjlfZquz+8L3WB3B8bvYOCGghrkEGgG1+rfKlLbalXDH4JmpM Vdmu1FeaDN5DtB/InHCWuDYq0dKbC8mcjC74q/vhRQpENRGttdBmxCe2Gm+zhNNXB77O0CZf yhD6R81l+dUEVSSv7+KmgOXuDFqdGOvonhewQ6Cxku7xTLpS+06ZbheiLokCs2Yndq+/MP4G LFmwv26uGIqPeg0CLR0GfV8tB/hMbh8N1eH8aB4/JlawkEyzzYJLiJaYfy/gzdk9vfrWrCV+ O85yvICv4DqE85uFvF5icFlTOQlgrGoEWSt2NwyUGT0PARAghKUvaoQeliA0DkA41KhqAl7E sD5RPoi7NHSRzHhyjz/N7OSlVjkVe1u2MrlaoJg2VYSpZ2Us4YkWUzxjIiLH47JlOy1Kk3VO 11SM3M7vdfdl2XK3jfo2l02dSpGnA+BA2PTEQOstGcl2E+pgEy82IIgMgE2nsQ/pM0TJdJo+ zCL6RzjblLCssbd7h0CusNSda+TmbNXRXPOmSPJkmPLtBNB1vd75rspLkl7uCjf5IFiJM0hZ TaSVtd8XU/fkr/YPf+q6GjMiq9NFlVcQ6dv/22vaIJyYEUbICbQxG+dA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.98,219,1673913600"; d="scan'208";a="69140368"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 27 Feb 2023 16:39:49 +0000
Received: from mail.cisco.com (xfe-rtp-003.cisco.com [64.101.210.233]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id 31RGdmZl015069 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Mon, 27 Feb 2023 16:39:49 GMT
Received: from xfe-aln-005.cisco.com (173.37.135.125) by xfe-rtp-003.cisco.com (64.101.210.233) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25; Mon, 27 Feb 2023 11:39:48 -0500
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25 via Frontend Transport; Mon, 27 Feb 2023 10:39:47 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FKCI/JuoRY1Sedvti0kfR6ebTGfG9zq4CeBaC0oSXYAWVCLRodWq4jZvzogqdRRjGvPMLVZr/RpA9oLcN3PHSe+sazQKb+qTyt1F8QxJ2/Vc9/5YTora9k6y9bbI9rS4hucnlZXtoWCNFbDZgV22BssCdsFwWikzboev0g0XVHHm9zPLW48itv2q/KbZpfkgl9Wb4qPHyuaaLEU6eERNUo+U7wPmDhMFhfxiB/Pa4aGXkA/2z2SpK2EyouncHoX9gD5+GYRPoNlySRReEWuee7uKMn9uGbyuv1vhaLJV7G8WQPVTIjTPlMCB/b+W8iPdYvPxZnwX4tvMyoTd+3T4Jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ENfHNLLw09Pz3wfNRxY5kddRmsZ8fc3qTjSY9uYrf/4=; b=YcUPmHPhsCybZxcy/r3NHqOj5Gn7fEs4ODYLoC/65v/D6QGHBkDCVKlJUP8+afqVEt3vAUQfyMDf+NxaDkQmSrpi+/HzA6bahk0SGM0CsjfsZNd7F/ZupVtCsIwZkmF7tyr7yXrTiJyw4AnMn0Bb6nUkyE032uUgYRgDxeYTtwv3ftC47bFCBkN9lSpsAmijZjwC9NZxSgvDeAkwTawi0H8ZPyBheh+VSOHO2UrOW+vv215/AWASr+EiFH1r8Kur3Vu05jluNsxYDZ5BYiF96gH4l2SVDQL7PKNG+sS8St0I6In0ru4j9Uv3zqDa1dN8/vVdhUyLSpd8eHQS13pCzQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ENfHNLLw09Pz3wfNRxY5kddRmsZ8fc3qTjSY9uYrf/4=; b=gy4VoRlcJFbYbI/4HztrkggMRGY2X+QyA5Yk+T2INbo7U7ILnUuVRuLq87FTOYq7LVfUexR42YQLW4wN2iwGM7I165xoEzxKlMnrJOwkTOUez+POHRVOWCFQC7Ky6TRE7ZchOGXBGuSqkuTHjcbnPRpNm6Cknw5PMvKxczvrPns=
Received: from DS0PR11MB6445.namprd11.prod.outlook.com (2603:10b6:8:c6::11) by SA2PR11MB4876.namprd11.prod.outlook.com (2603:10b6:806:119::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6134.29; Mon, 27 Feb 2023 16:39:45 +0000
Received: from DS0PR11MB6445.namprd11.prod.outlook.com ([fe80::df74:96eb:3b1d:457]) by DS0PR11MB6445.namprd11.prod.outlook.com ([fe80::df74:96eb:3b1d:457%9]) with mapi id 15.20.6134.024; Mon, 27 Feb 2023 16:39:44 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Paul Wouters <paul.wouters@aiven.io>, The IESG <iesg@ietf.org>
CC: "draft-ietf-acme-subdomains@ietf.org" <draft-ietf-acme-subdomains@ietf.org>, "acme-chairs@ietf.org" <acme-chairs@ietf.org>, "acme@ietf.org" <acme@ietf.org>, "debcooley1@gmail.com" <debcooley1@gmail.com>
Thread-Topic: Paul Wouters' Discuss on draft-ietf-acme-subdomains-06: (with DISCUSS and COMMENT)
Thread-Index: AQHZK7BHzOfG7aLT5UKyrf/5GITL2q7jOirA
Date: Mon, 27 Feb 2023 16:39:44 +0000
Message-ID: <DS0PR11MB6445FFB559D9FDC9EC9CDDECDBAF9@DS0PR11MB6445.namprd11.prod.outlook.com>
References: <167409639820.55748.11336964357482441856@ietfa.amsl.com>
In-Reply-To: <167409639820.55748.11336964357482441856@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DS0PR11MB6445:EE_|SA2PR11MB4876:EE_
x-ms-office365-filtering-correlation-id: b830768c-d1f7-40c5-b997-08db18e13b13
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bkBtxn5hmiR4IhBm+KufWHlm9j/mirp9x21UiYnWMsVXkKNWDVngQrjhrquE1mSsU3UWs2ZWFwwqlUCKN1P78MWHMGYNT6o6pH3k1IIXt8ArMGUey4RuOXxR/uq1BcZrgU3ylJfASHdGOyKDmo6mydgjy6n0lHqlZGQ9uAlpEXIEotam/b73qGNbMjavPRyoq4Kpwc+o3lHO0i0bAVl97nQ9BhIqHOeDtRsj9u4JdrqnK233g7hHiju6gT5cw+oLQIUBNw3OsmHTZWuis8sidTyhhF1gv/w5YIVHhHdrYqjdooXBXEbcsj5G2saQrBIRBnMUSa4kkRERWHE2n+ikbAPQuMNWfNRFE0DUvZ42aKlUIltaES6UkCl7kYfsHzurnK+KKzGgjZCkVvVdihWT5mP6qxdVm7Sy0SCBBNX4B7F5zrCOSE/eJ6+4uXydz2EFLV0K/RRIb1QboiI9ya2vfpkej9nStygaNAqek4ZQbIGhuN/ljnmkPlgiE1Drt/ur3f5IfddzqxHP8Cx3EIMH3VgBx1Dbld2/apmqGkbAdz+SrMGGttOakgfB2HL2jJExtkRXZx6+a//P8y0IdfaRxs2zwJQYmhqmuZsw4eQVFpmXsnAa43J+wzGSpqbIHrJt4hzDiNqo9yWr+g9MHk9HG3rtanUBLDxenalpTL5Indpu6Pbx0Rrc1C1ITQg2ZKYVaLppbxQx1oAEl8dnimy6ww==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DS0PR11MB6445.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(346002)(376002)(366004)(396003)(39860400002)(136003)(451199018)(110136005)(54906003)(316002)(33656002)(55016003)(86362001)(38100700002)(38070700005)(122000001)(53546011)(83380400001)(186003)(6506007)(9686003)(5660300002)(8936002)(71200400001)(478600001)(2906002)(52536014)(966005)(7696005)(4326008)(41300700001)(76116006)(66946007)(66476007)(8676002)(64756008)(66556008)(66446008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: l4h2GMTi3kILdCUPQfc5yBKMzsVKjoF/ng0HQ6iJDDDAcKPwoJEj+hwZHayADairJyk/0rlekXZZD3guCTSA60zZMMn2hYXaFmBndWpFeZFQ50WbxLT4xSOBlqHPgqrpRpDV8oLVT8CbvFRNl1LuWyYxsLoniq2gPkzkXxE4GXcfsUWqk2qMPuuSS8oYw/wXKsRmvjZ+7ufPMicdWP7Bwu9rajj7XYt25bM3PZNhRJMU4XRd/q1wefL5DdlvEnAAcFT+6HavX+qjHNoDKGOteAcVHt2LkkR6chhNHjI+ci7gC5niXBqsHPeZYX+ev6jnUyzwz4OqFVcTuKoOupaQG77jYiSEnfwbvnNAFPUoknXOBL4UnzX8J3UkihW3beYdibUv2c/Cr4hB3K05yFvrXo5yuqwiTfHshLXSMNwnW5ONDIrxhs4BrpifpKXT1llOu27uvYrjP4MXtHjzf7aMcQFv/TcsA0a3frS8TdSfzDNKK5FeTTU+AX5euKyucz1/aGOAQCkApztWrBEUu9pHBo5DvxtibLjhsckGShm439PyB05PEbTkO1ddaQR0Y9EHCUNJHTBJ/BbIOpXj23bsNjzQC/lIq/6UVM46b126ofzQqP8sK/X4wYB/ykYI2v+POFwF7K8i+Ko/J9Kr/Iqj1tGdXltzN5i3ULQJq0o92IGRzyCfJpivSLl0J0H6rg3ERiCIH/hmcSFOWpi2y3uppXAhckdUCWGj5MoUqcvKQZYaChf7PDG8x0Uw//YHOpRS/sC2mrCiHXYUmxg+igUDUuwJ9UxadGhU8WVhPrNb2xiLcvqzqvMCrUWWhtW6zFSphyxPgojYwyyvklOQJhV94FrhVi0S2oV2ps4Y9VegbPefmjxIzK6HWTV7PGs5rvwYUntRzOoTo/3ttU1n/DrOBOrxdxctUJoymQlF1Ih/4cwguXY7fMwpB5x227hg/6p7EQQ/ICXWIynOwIOPjbtx6ZxEOwl+4PGwLzmdjEc2ABqnkfaJZIh/EC75PA2NVGUA2PLSQxUaa2NMBtH6q2QpmcKmoex9BnOXzhXGQPp1/sooMUs2JUVMkiSuxMwlYcZaMmPsEdh/n2bWJ1N+p3SZPS9XMEdlsKp/+9QHlzIRnkG9doSjJzgvoaG+XUY8t0NevqXttr+6VFcWKW+GE0whmMxJJOgDVnNFn3Cv2fDQfu6K5JZ4Xyl7qGAuWC4S4rA7yRhLkLGTd7qsQFgVvYo4D05icUKLZaZPNFa33LswOoA4JAlcPj02WXADUuwYK3HY6AFgdZQCICNS3lHLRfqoA9GA110CTAOsT8+o1YhBg4wszxjnKWF85yyx2ZADiCaS36ZOSXolHpmhBzdMPPU7OtEfhoxBuDJe+F2hzLO4JKemo6f6eKbopkwi4ChXyil+YI0VhsyDRnZXY+hAcnyYEn+HIV4vAeq/7Yxu8D/habdICYh8YsOaq4RXSiKmGLYVkLOqIGkAftV3gQ+xMNg3BKyMYXrY5ImndzN8fYnURsmVUGPq0lkIh7DijGetk8N9HDGWPCzdDLkmIhNho4AldLXfBSxCb6yRXdF6QtZr2qCx2u4WDLEwS7bPCCvAOxfh
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB6445.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b830768c-d1f7-40c5-b997-08db18e13b13
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Feb 2023 16:39:44.0757 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QljAnQuzkddQXptKJEe0pZnbMVQlaO3SskGK0910T08VR6HCcnKK/nPYlHbUoURBnb4MKqcTi0ZA0Fr91DDfDQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR11MB4876
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 64.101.210.233, xfe-rtp-003.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/10AMDsKz0rMJeCEcCC1wl77acEI>
Subject: Re: [Acme] Paul Wouters' Discuss on draft-ietf-acme-subdomains-06: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2023 16:40:20 -0000

Thanks Paul.

The authors have been back and forth on these issues for the past month. See inline for summary.

-----Original Message-----
From: Paul Wouters via Datatracker <noreply@ietf.org> 
Sent: Thursday, January 19, 2023 2:47 AM
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-acme-subdomains@ietf.org; acme-chairs@ietf.org; acme@ietf.org; debcooley1@gmail.com; debcooley1@gmail.com
Subject: Paul Wouters' Discuss on draft-ietf-acme-subdomains-06: (with DISCUSS and COMMENT)


----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

# Sec AD review of draft-ietf-acme-subdomains-06

CC @paulwouters

Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.

This review uses the format specified in https://github.com/mnot/ietf-comments/
which allows automated tools to process items (eg to produce github issues)

## DISCUSS

### Zone bondary implications
```
   the ACME client need only fulfill an
   ownership challenge against an ancestor domain identifier.
```

This document seems to have a "Public Suffix List" issue and no Security
Considerations to cover this. PSL is mentioned in RFC 8555, but limited to
the context of wildcards.

The draft hints at the server being able to allow or not allow subdomain
issuance but provides little guidance.  I think at minimum, advise should be
given not to allow issuance where it crosses a label that is present in
the Public Suffix List (PSL). Additionally, it could say this should not
be allowed for the root one or TLD zones, and that care should be taken
with Empty Non Terminals (ENS), eg "co.uk".

Currently, for a TLD to obtain a rogue certificate, it has to take over
a child zone by issuing new NS records or issue a (DNSSEC signed) A or
AAAA record directly into the child domain abusively crossing the zone cut.
These are auditable or rejectable as these DNSSEC keys are not used fo
subdomains in normal deployment. With this document, they just need to
issue a TXT record into their own zone, which is indistinguishable from
a normal operation of a DNSSEC zone key signing its own zone content.

So I believe some security guidance here would be useful.

[ofriel] Agreed. We will add some commentary similar to that in https://www.rfc-editor.org/rfc/rfc8555#section-10.5


### Post compromise security

This document allows an authorization object to be used in the future
for additional sub/super domain ACME certificates. This does seem
like a new security concern without a matching security consideration.
While without this document, abuse could happen for an individual domain,
this can now be extended to all domains under or one or more levels
above it. An attacker could copy this object and use it at a much later
date to issue fraudulent certificates for many subdomains.

Related: Is there a way to indicate with ACME that this object should be
de-authorized, to gain some post compromise security? I did not see anything
listed in the security considerations of RFC8555.

I did not see any recommendations for the expire: field in RFC 8555's Security
Considerations Section.

[ofriel] The authz object is the servers internal state that represents the specific client account authorization for a given identifier. Its not really the authz object that gets compromised, it’s the client account that gets compromised and allows the attacker to do whatever they want with that client account. We can clarify this in the security section and reference back to https://www.rfc-editor.org/rfc/rfc8555#section-7.3.6, which describes how a client can deactivate their account if account keys are compromised.

### Wildcards?

It is unclear to me how DNS wildcards, eg "*.nohats.ca" should be handled?
Do they fall within the permissions granted by "subdomainAuthAllowed"?

[ofriel] We will add clarifying text that if server policy allows issuance of wildcard certs under a given ancestor domain, then it SHOULD include the "wildcard": true field in the authz object.

v2.23.0 | Report a Bug | By Email