IETF Logo Mail Archive

Re: [Acme] scope in dns-account-01 and dns-02 challenge

Seo Suchan <tjtncks@gmail.com> Mon, 18 March 2024 23:22 UTC

Return-Path: <tjtncks@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D982C151520 for <acme@ietfa.amsl.com>; Mon, 18 Mar 2024 16:22:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.603
X-Spam-Level:
X-Spam-Status: No, score=-1.603 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AmvinEnsNmBp for <acme@ietfa.amsl.com>; Mon, 18 Mar 2024 16:22:21 -0700 (PDT)
Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9809C151090 for <acme@ietf.org>; Mon, 18 Mar 2024 16:22:21 -0700 (PDT)
Received: by mail-pl1-x62e.google.com with SMTP id d9443c01a7336-1def142ae7bso31713915ad.3 for <acme@ietf.org>; Mon, 18 Mar 2024 16:22:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710804140; x=1711408940; darn=ietf.org; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:user-agent:subject:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=97HUpa1Or5uBdPRKhBC7nU7gH4Pbuyth+26rKOlhKKw=; b=RsQd6NGKGp41W8QAsFbap0AVb7xSE3aq6Xlc1oOMe5OLVubFhsvX7eVtTsAg72P/zb w9maGvR0WSCY8dBaD0OB/NOmvHDo5qRckEFcdrTfsK6Gd2lQot8USoMFweMi7OYwHGiD n2czw4LSUTs+Wv9C26fFpbHnnvWjwa1kfNi4dCOxTj95BC5bVmqDGLSwo+WfalB0QVMR ZI+OgzQAay9f2ffAF6bhY2UWzsDqjXXlkYR3fL6DzbDv8TNSoAWKLViPA0wTdAi0FBIc FzlC5kyZAGPvieRLZ/T0JyByd1KCizRraCVvo7PigjLvne/C4d32V8+2Zc9snd7fn8Sq yq0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710804140; x=1711408940; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:user-agent:subject:to:from:date:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=97HUpa1Or5uBdPRKhBC7nU7gH4Pbuyth+26rKOlhKKw=; b=WPbvwcS8VekCIRxQ6amIMZl9+bTZtz960ipL25hxTu4RnyJ1hkNPsNEM02nwr7WqDV MXd/0cnqpEn/meT3NAX9H9Fxtc/aOLkpfUVBfF8xJLsDkoDH291+mTVaO578XbWG3xyr x9VLHZqdJGjazX3gpiylEbmZQKokqP8iDP5d3DiY1FhS157hGxmetkNP+fXu2D/fmyln hHQbFFdcwDBYMBI26OfWDSqlZ4ked6DcUX9+ifs6F3Aeb9L9hfohYc0dTtl8w3b+E5/G HsbBdGe+4a+jNpRyvPPGXULrAUbUl+tnGlVTU7byG4347b8baYCLHnX1w/5pfqe8/u2G zRCA==
X-Gm-Message-State: AOJu0YyXD6s/Z+pc2/0d3y+3ObTkmFU4wZvgcAF62Agy4qUYUH75pY0M nALrm2JnxAP/1BFuTML83j85hzS6hQKEMJ+IB0GxJO9zCEGImE1qulC5IKkOokw=
X-Google-Smtp-Source: AGHT+IG6sXJ/Z+F6Ww4H9LFDAyq+rjzA7gZTsGd8IEVwrt6BQq58i4BBFH/p7SAC9DCMCyfd9Jdhsg==
X-Received: by 2002:a17:903:32cd:b0:1df:fbf7:9227 with SMTP id i13-20020a17090332cd00b001dffbf79227mr7508644plr.5.1710804140285; Mon, 18 Mar 2024 16:22:20 -0700 (PDT)
Received: from ?IPv6:::1? ([2001:e60:312a:6941:dbf:57a7:83e:2f8b]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm9874538plh.196.2024.03.18.16.22.19 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 18 Mar 2024 16:22:19 -0700 (PDT)
Date: Tue, 19 Mar 2024 08:22:14 +0900
From: Seo Suchan <tjtncks@gmail.com>
To: acme@ietf.org
User-Agent: K-9 Mail for Android
In-Reply-To: <CAN3x4QkK6dFnoo0wfyCBf9_beuQf+Og9+EhoeYvMUbFaoGw8zw@mail.gmail.com>
References: <CAN3x4QkK6dFnoo0wfyCBf9_beuQf+Og9+EhoeYvMUbFaoGw8zw@mail.gmail.com>
Message-ID: <7EB59D53-7CC4-4AD3-9652-56EA622D25EE@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----G2FP1YPDXMU6XPBJA6NG6VV48ELPL2"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/32RmsqFd8Nwk1VZic39o-tvwgmY>
Subject: Re: [Acme] scope in dns-account-01 and dns-02 challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 23:22:23 -0000

Would it be illegal to server probe both scope and pass if there is intended token?

On 2024년 3월 19일 오전 8시 3분 7초 GMT+09:00, Jacob Hoffman-Andrews <jsha=40letsencrypt.org@dmarc.ietf.org> wrote:
>Thanks, authors, for the updates in
>https://datatracker.ietf.org/doc/html/draft-ietf-acme-scoped-dns-challenges-00
>.
>
>Adding a "scope" (host, wildcard, or subdomain) to the DNS record name is
>great. Reading the draft, I think it doesn't specify how the scope for a
>given challenge is decided and communicated. Three ideas:
>
>1. Server picks, and tells the client.
>
>The challenge object contains a "scope" field. The client verifies that the
>indicated scope is one of "host", "wildcard", or "subdomain", and is less
>than the maximal scope the client is willing to validate for. For instance,
>a client might be configured to only accept "host" scope.
>
>2. Client picks.
>
>When the client POSTs to the challenge URL, instead of sending the empty
>object {}, it sends {"scope": "host"}, {"scope": "wildcard"}, or {"scope":
>"domain"}. The server verifies that the request scope is sufficient for the
>authorization object (i.e. "wildcard" or above for an authorization object
>that can be used to issue for a wildcard name), then performs the
>validation.
>
>3. Server offers options via challenge types
>
>We explode out the challenge types from two to six:
>
>dns-host-02
>dns-wildcard-02
>dns-domain-02
>dns-account-host-01
>dns-account-wildcard-01
>dns-account-domain-01
>
>The server populates the authorization object with only those challenge
>types that are acceptable. For instance, if the authorization object can be
>used to issue for a wildcard name, the server would not offer dns-host-02
>or dns-account-host-01.
>
>I like this option the best because it provides cleaner separation, and
>uses the design of ACME nicely: servers offer appropriate challenges, and
>clients pick the challenge that works best for them. Also it allows for
>clean implementation in the BRs: they could specify by name which challenge
>types are allowed to issue for wildcards.
>
>Of course, it feels messy to define so many challenge types. Perhaps we
>could eliminate the dns-02 family? The idea being that clients and servers
>that wish to adopt the modern best practices from
>https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/,
>they can also adopt the account-scoping features of the dns-account-01
>family, which are not burdensome.

v2.23.0 | Report a Bug | By Email