IETF Logo Mail Archive

Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)

Ryan Sleevi <ryan-ietf@sleevi.com> Tue, 21 January 2020 13:04 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D68AE120108 for <acme@ietfa.amsl.com>; Tue, 21 Jan 2020 05:04:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wrBa7yBuC9kC for <acme@ietfa.amsl.com>; Tue, 21 Jan 2020 05:04:25 -0800 (PST)
Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com [209.85.208.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBDCC1200F7 for <acme@ietf.org>; Tue, 21 Jan 2020 05:04:24 -0800 (PST)
Received: by mail-ed1-f43.google.com with SMTP id j17so2909616edp.3 for <acme@ietf.org>; Tue, 21 Jan 2020 05:04:24 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GHQqzR9Rv0U5IMd9ydkwDxg4uNzNgpLRED4kgQDal3M=; b=ME+PNWDAQoY6JwyOiyySF2guuSU8jZcz70ieegLRE7VUkrqYse5kpKxhxGFsCGQ/Yk +ky0oqztUd3N4yqPjCQ6ujsFmSG14kVqnerAws8UVsq8jlxu9DE5ZG2uzz+2274BgRVI HzEipAqmudfZM9PZDZQc1pnJUKanym78fZTUuf+OUqO0Dx4V/WTTqto3SviZRFeAhmIe N8bSGgCQ54SHvNeD9vryfeNoVf98TzIf5pXPr40xUI66ffNQJTYbFVJJtdk/yJrfs49A zqnfh+hhSaX2gZjMv0kxfXvKHNLXbWZLbX0TxZK3W9D84idIzw3W+HeDbsrX2s0+Ux84 6BLA==
X-Gm-Message-State: APjAAAV9yctGr56P2n2ruuFeNdiluenXX1V28p0MJsyH/DNgfCnqNHNn vEvotH+HFtYGPpe3ZB+Yq6kBRFGb
X-Google-Smtp-Source: APXvYqz+wqLb+9U8vDMtc9YxISQFcfzs/K/DU/5UwXVMoJmiZcY+scTKWOja4bgSrZl5qG/BHWS6aA==
X-Received: by 2002:a17:906:a406:: with SMTP id l6mr4085099ejz.293.1579611863218; Tue, 21 Jan 2020 05:04:23 -0800 (PST)
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com. [209.85.128.43]) by smtp.gmail.com with ESMTPSA id lc20sm1334142ejb.78.2020.01.21.05.04.22 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 21 Jan 2020 05:04:22 -0800 (PST)
Received: by mail-wm1-f43.google.com with SMTP id u2so2917324wmc.3 for <acme@ietf.org>; Tue, 21 Jan 2020 05:04:22 -0800 (PST)
X-Received: by 2002:a05:600c:246:: with SMTP id 6mr4277747wmj.122.1579611862058; Tue, 21 Jan 2020 05:04:22 -0800 (PST)
MIME-Version: 1.0
References: <MN2PR11MB3901512A25A395E684808FFBDB5F0@MN2PR11MB3901.namprd11.prod.outlook.com> <MN2PR11MB3901D33CB72236ECF7BA437ADB320@MN2PR11MB3901.namprd11.prod.outlook.com> <B5F428E5-D08E-4EE6-9807-B51395F58643@felipegasper.com> <MN2PR11MB3901CDCC1358EEF12169EE1DDB0D0@MN2PR11MB3901.namprd11.prod.outlook.com>
In-Reply-To: <MN2PR11MB3901CDCC1358EEF12169EE1DDB0D0@MN2PR11MB3901.namprd11.prod.outlook.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Tue, 21 Jan 2020 08:04:11 -0500
X-Gmail-Original-Message-ID: <CAErg=HH+CzVuXL8GTDF9S64ZcCmQU3wrBVrp528NPEj56fUbSg@mail.gmail.com>
Message-ID: <CAErg=HH+CzVuXL8GTDF9S64ZcCmQU3wrBVrp528NPEj56fUbSg@mail.gmail.com>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>
Cc: Felipe Gasper <felipe@felipegasper.com>, IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ebce1c059ca60b29"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/5O8JiCeVSAYx5TD-QRYzGHofsCk>
Subject: Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2020 13:04:31 -0000

On Tue, Jan 21, 2020 at 7:14 AM Owen Friel (ofriel) <ofriel@cisco.com>
wrote:

> > Also, the linked document states:
> >
> >    The call flow illustrates the DNS-based proof of ownership mechanism,
> >    but the subdomain workflow is equally valid for HTTP based proof of
> >    ownership.
> >
> > Can’t I have HTTP access to a base domain’s website without having
> access to a
> > subdomain’s, though? I thought that was the reason why ACME limits
> wildcard
> > authz to DNS.
>
> [ofriel] Daniel has clarified this already. Its a Lets Encrypt, not an
> ACME limitation.


Although the CA/Browser Forum / Browser Stores have repeatedly discussed
forbidding it. That is, allowing the HTTP and TLS methods of validation to
only be scoped for the host in question (and potentially the service in
question, if we can work out the safe SRVName transition, due to the
interaction of nameConstraints and policy)

Would it be simpler to remove the statement from the draft, rather than try
to clarify equally valid refers to the technology without commenting on the
policy?

>

v2.23.0 | Report a Bug | By Email