Re: [Acme] Fwd: New Version Notification for draft-suchan-acme-onion-00.txt
Seo Suchan <tjtncks@gmail.com> Wed, 11 May 2022 13:23 UTC
Return-Path: <tjtncks@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55286C1850EE for <acme@ietfa.amsl.com>; Wed, 11 May 2022 06:23:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.458
X-Spam-Level:
X-Spam-Status: No, score=-1.458 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.998, HK_RANDOM_FROM=0.998, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.857, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9_V6pRHVMVkg for <acme@ietfa.amsl.com>; Wed, 11 May 2022 06:23:44 -0700 (PDT)
Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F624C1850EA for <acme@ietf.org>; Wed, 11 May 2022 06:23:44 -0700 (PDT)
Received: by mail-pj1-x102f.google.com with SMTP id cu23-20020a17090afa9700b001d98d8e53b7so4012523pjb.0 for <acme@ietf.org>; Wed, 11 May 2022 06:23:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:to:cc:references :from:in-reply-to; bh=gapE/+ke9UxMhJmfv5WheJ8tik0i0mOKwIjlYhQAeAk=; b=EUYu193oci3HY8rh6jl63ixweA0AqYyboXI3hR07pSaE4S5Zp8Fh5RAiNhRX0S4vvP 4FbCEo36z2bz9vohM8f1uwHzCECcQZG7JBnuX7Oua8hVDVVCeemaUbmVlwS0QA7kV+6i XqrrEW30KJJiCD7eWv9uav6XYKkJl5fF/TtdrtLHpkUNDIicRtDKNEixCKBXZWfE2e8D SAPGlzP3nfAOWeOwcxB0lDzwgvfrlFpCFgyOual/WGK9ViVXEB/S2X72200R5Xls9bV4 xmgX3ZwpORhvSKQaYOTpsPo7XArxXEysh/swPVOZkmOfJpVPrDwHsj3auoCYgbU2aYrq j1QQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :to:cc:references:from:in-reply-to; bh=gapE/+ke9UxMhJmfv5WheJ8tik0i0mOKwIjlYhQAeAk=; b=n2rnzMAXWwovB/MwmTcGd5RwMBwoWMehIly2lyu0Us3GOLKysGHasWNvk0ItHR435U f15i07WRDclYRxC6O800kQc1QYZUV1N8rZiDMKKarcRCycKtPLINU1VkfPNjwLlF1JxQ Ga8Xz6Acap6QfO0ph4+Rha+pwCDIRWMjiIVnEQiEagH3mSWF05Xf+peohjYAxYPO0hCn LlQdvu6EZ5sfeKvr514R3IQ+34dUd06zUrf6ncX55sZbQHB1yfGpBd1Vc4HSAtwqHVJR +Vz3gcBb9LDVy+AJT1m+jOWsTpobB9hM2jNVF3EEkkAfhvv2T19GmeSlkzAAvC+sUHv8 H+uA==
X-Gm-Message-State: AOAM530qbNa9i3nPkrAg/I8ka8Rjrcm5I3NUPe6wxSaTKopjIV51GXvt p/xQ1FlCFQ1JGOZ+R8oRSRjE5js0msdw3w==
X-Google-Smtp-Source: ABdhPJwvXGGe97qOlIj70gdNSA+BSY0745W2RsuTIuSyTbahZhsjRuF+evy6XMuRPm4kpkWKx6R9ow==
X-Received: by 2002:a17:902:f70e:b0:15f:28b6:ad58 with SMTP id h14-20020a170902f70e00b0015f28b6ad58mr6881748plo.24.1652275423190; Wed, 11 May 2022 06:23:43 -0700 (PDT)
Received: from [192.168.1.123] ([125.128.147.243]) by smtp.gmail.com with ESMTPSA id on17-20020a17090b1d1100b001deb3cbd8f1sm1824121pjb.27.2022.05.11.06.23.41 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 11 May 2022 06:23:42 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------Cj4irjToX1FtwNrT49LEAzMm"
Message-ID: <87ba1876-f8f5-0f0c-135e-8b9dfbef62c0@gmail.com>
Date: Wed, 11 May 2022 22:23:40 +0900
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0
To: Richard Barnes <rlb@ipv.sx>
Cc: acme@ietf.org
References: <165223464132.47931.4315903453826863737@ietfa.amsl.com> <6aa1a959-577f-953f-4f4d-303f872fc0f3@gmail.com> <CAL02cgRKB-AmdhrHvxVf9t3sXHyOo0RCbYkqgqdm3j9+aVkh3A@mail.gmail.com>
From: Seo Suchan <tjtncks@gmail.com>
In-Reply-To: <CAL02cgRKB-AmdhrHvxVf9t3sXHyOo0RCbYkqgqdm3j9+aVkh3A@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/6HdV6xK5W7m5JT3ih5DqKG-aFa4>
Subject: Re: [Acme] Fwd: New Version Notification for draft-suchan-acme-onion-00.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2022 13:23:45 -0000
I don't think we can change challange name while being competiable with CABF reqs: they already point to RFC8555 section 8.3 and RFC8723 for allowed challanges. any other name will not be comply with that. we can invent new http based challange based 4.3.3.2.18, but it will have to use different location: .well-known/pki-validation http-01 and tls-alpn-01 is not allowed to used to wildcard certificate, and Appendix B doesn't override that, so csr crafting challange is only way to process wildcard request. and it's out of bound challange that doesn't need run Tor daemon on CA infrasturcture. I chooes to create add seperate onion identifier on based on old steff comments on Letsencrypt boulder issue: https://github.com/letsencrypt/boulder/issues/4620#issuecomment-567637792 2022-05-11 오후 9:36에 Richard Barnes 이(가) 쓴 글: > Yep, this is the right way to suggest a new draft! Thanks for writing > this up. > > One high-level comment on a quick skim: I don't think you need the new > identifier type. Since .onion is a "legit" TLD [RFC7686], onion names > are part of the DNS namespace. It's OK for CAs to have different > policies for different domain names. Obviously the CABF requirements > would require a CA to validate .onion names differently, but that's up > to the CA's internal logic to choose different challenges. Note that > they already need such logic, since a client can already send in a > .onion name, and the CA shouldn't validate it like a normal name. > > In general, it would be good to understand what extra work is really > needed here. As you point out, http-01 and tls-alpn-01 work for onion > names; is the new challenge type better in some way? > > On Tue, May 10, 2022 at 10:18 PM Seo Suchan <tjtncks@gmail.com> wrote: > > > I'm new to rfc draft thing: is this right way to suggest a new draft? > > in appendix I made some questions. copyting them here: > > should this be about onion address, or all kind of alternative DNS > systems? > should identifier type and challenge type include or strip -v3 tag > from > its name? if we include that how about this doc name itself? > http-01 and > tls-alpn-01 over tor will work as well for like onion address V2 > or V12, > but csr challenge may not. but it's reasonable to ask same identifier > type should give same set of challenges. > should the as rigid as complying this will make comply CA/B Baseline > requirement? > while type onion domain name just full onion v3 name itself with > example > subdomain will exceed rfc line limit. but using ... doesn't right in > context of domain name. any alternative to express truncated FQDN? > would > "example.onion" work while it wouldn't be valid onion name? > > -------- forwarded message -------- > title: New Version Notification for draft-suchan-acme-onion-00.txt > date: Tue, 10 May 2022 19:04:01 -0700 > sender: internet-drafts@ietf.org > to: Seo Suchan <tjtncks@gmail.com> > > > > > A new version of I-D, draft-suchan-acme-onion-00.txt > has been successfully submitted by Seo Suchan and posted to the > IETF repository. > > Name: draft-suchan-acme-onion > Revision: 00 > Title: Automated Certificate Management Environment (ACME) Onion > Identifier Validation Extension > Document date: 2022-05-10 > Group: Individual Submission > Pages: 7 > URL: https://www.ietf.org/archive/id/draft-suchan-acme-onion-00.txt > Status: https://datatracker.ietf.org/doc/draft-suchan-acme-onion/ > Htmlized: > https://datatracker.ietf.org/doc/html/draft-suchan-acme-onion > > > Abstract: > This document specifies identifiers and challenges required to enable > the Automated Certificate Management Environment (ACME) to issue > certificates for Tor Project's onion V3 addresses. > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] Fwd: New Version Notification for draft-su… Seo Suchan
- Re: [Acme] Fwd: New Version Notification for draf… Richard Barnes
- Re: [Acme] Fwd: New Version Notification for draf… Seo Suchan