Re: [Acme] scope in dns-account-01 and dns-02 challenge
Seo Suchan <tjtncks@gmail.com> Mon, 18 March 2024 23:22 UTC
Return-Path: <tjtncks@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D982C151520 for <acme@ietfa.amsl.com>; Mon, 18 Mar 2024 16:22:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.603
X-Spam-Level:
X-Spam-Status: No, score=-1.603 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AmvinEnsNmBp for <acme@ietfa.amsl.com>; Mon, 18 Mar 2024 16:22:21 -0700 (PDT)
Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9809C151090 for <acme@ietf.org>; Mon, 18 Mar 2024 16:22:21 -0700 (PDT)
Received: by mail-pl1-x62e.google.com with SMTP id d9443c01a7336-1def142ae7bso31713915ad.3 for <acme@ietf.org>; Mon, 18 Mar 2024 16:22:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710804140; x=1711408940; darn=ietf.org; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:user-agent:subject:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=97HUpa1Or5uBdPRKhBC7nU7gH4Pbuyth+26rKOlhKKw=; b=RsQd6NGKGp41W8QAsFbap0AVb7xSE3aq6Xlc1oOMe5OLVubFhsvX7eVtTsAg72P/zb w9maGvR0WSCY8dBaD0OB/NOmvHDo5qRckEFcdrTfsK6Gd2lQot8USoMFweMi7OYwHGiD n2czw4LSUTs+Wv9C26fFpbHnnvWjwa1kfNi4dCOxTj95BC5bVmqDGLSwo+WfalB0QVMR ZI+OgzQAay9f2ffAF6bhY2UWzsDqjXXlkYR3fL6DzbDv8TNSoAWKLViPA0wTdAi0FBIc FzlC5kyZAGPvieRLZ/T0JyByd1KCizRraCVvo7PigjLvne/C4d32V8+2Zc9snd7fn8Sq yq0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710804140; x=1711408940; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:user-agent:subject:to:from:date:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=97HUpa1Or5uBdPRKhBC7nU7gH4Pbuyth+26rKOlhKKw=; b=WPbvwcS8VekCIRxQ6amIMZl9+bTZtz960ipL25hxTu4RnyJ1hkNPsNEM02nwr7WqDV MXd/0cnqpEn/meT3NAX9H9Fxtc/aOLkpfUVBfF8xJLsDkoDH291+mTVaO578XbWG3xyr x9VLHZqdJGjazX3gpiylEbmZQKokqP8iDP5d3DiY1FhS157hGxmetkNP+fXu2D/fmyln hHQbFFdcwDBYMBI26OfWDSqlZ4ked6DcUX9+ifs6F3Aeb9L9hfohYc0dTtl8w3b+E5/G HsbBdGe+4a+jNpRyvPPGXULrAUbUl+tnGlVTU7byG4347b8baYCLHnX1w/5pfqe8/u2G zRCA==
X-Gm-Message-State: AOJu0YyXD6s/Z+pc2/0d3y+3ObTkmFU4wZvgcAF62Agy4qUYUH75pY0M nALrm2JnxAP/1BFuTML83j85hzS6hQKEMJ+IB0GxJO9zCEGImE1qulC5IKkOokw=
X-Google-Smtp-Source: AGHT+IG6sXJ/Z+F6Ww4H9LFDAyq+rjzA7gZTsGd8IEVwrt6BQq58i4BBFH/p7SAC9DCMCyfd9Jdhsg==
X-Received: by 2002:a17:903:32cd:b0:1df:fbf7:9227 with SMTP id i13-20020a17090332cd00b001dffbf79227mr7508644plr.5.1710804140285; Mon, 18 Mar 2024 16:22:20 -0700 (PDT)
Received: from ?IPv6:::1? ([2001:e60:312a:6941:dbf:57a7:83e:2f8b]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm9874538plh.196.2024.03.18.16.22.19 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 18 Mar 2024 16:22:19 -0700 (PDT)
Date: Tue, 19 Mar 2024 08:22:14 +0900
From: Seo Suchan <tjtncks@gmail.com>
To: acme@ietf.org
User-Agent: K-9 Mail for Android
In-Reply-To: <CAN3x4QkK6dFnoo0wfyCBf9_beuQf+Og9+EhoeYvMUbFaoGw8zw@mail.gmail.com>
References: <CAN3x4QkK6dFnoo0wfyCBf9_beuQf+Og9+EhoeYvMUbFaoGw8zw@mail.gmail.com>
Message-ID: <7EB59D53-7CC4-4AD3-9652-56EA622D25EE@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----G2FP1YPDXMU6XPBJA6NG6VV48ELPL2"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/32RmsqFd8Nwk1VZic39o-tvwgmY>
Subject: Re: [Acme] scope in dns-account-01 and dns-02 challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 23:22:23 -0000
Would it be illegal to server probe both scope and pass if there is intended token? On 2024년 3월 19일 오전 8시 3분 7초 GMT+09:00, Jacob Hoffman-Andrews <jsha=40letsencrypt.org@dmarc.ietf.org> wrote: >Thanks, authors, for the updates in >https://datatracker.ietf.org/doc/html/draft-ietf-acme-scoped-dns-challenges-00 >. > >Adding a "scope" (host, wildcard, or subdomain) to the DNS record name is >great. Reading the draft, I think it doesn't specify how the scope for a >given challenge is decided and communicated. Three ideas: > >1. Server picks, and tells the client. > >The challenge object contains a "scope" field. The client verifies that the >indicated scope is one of "host", "wildcard", or "subdomain", and is less >than the maximal scope the client is willing to validate for. For instance, >a client might be configured to only accept "host" scope. > >2. Client picks. > >When the client POSTs to the challenge URL, instead of sending the empty >object {}, it sends {"scope": "host"}, {"scope": "wildcard"}, or {"scope": >"domain"}. The server verifies that the request scope is sufficient for the >authorization object (i.e. "wildcard" or above for an authorization object >that can be used to issue for a wildcard name), then performs the >validation. > >3. Server offers options via challenge types > >We explode out the challenge types from two to six: > >dns-host-02 >dns-wildcard-02 >dns-domain-02 >dns-account-host-01 >dns-account-wildcard-01 >dns-account-domain-01 > >The server populates the authorization object with only those challenge >types that are acceptable. For instance, if the authorization object can be >used to issue for a wildcard name, the server would not offer dns-host-02 >or dns-account-host-01. > >I like this option the best because it provides cleaner separation, and >uses the design of ACME nicely: servers offer appropriate challenges, and >clients pick the challenge that works best for them. Also it allows for >clean implementation in the BRs: they could specify by name which challenge >types are allowed to issue for wildcards. > >Of course, it feels messy to define so many challenge types. Perhaps we >could eliminate the dns-02 family? The idea being that clients and servers >that wish to adopt the modern best practices from >https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/, >they can also adopt the account-scoping features of the dns-account-01 >family, which are not burdensome.
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Seo Suchan
- [Acme] scope in dns-account-01 and dns-02 challen… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara