IETF Logo Mail Archive

Re: [Acme] acme subdomains open items

"Owen Friel (ofriel)" <ofriel@cisco.com> Mon, 07 December 2020 02:32 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36B163A05D0 for <acme@ietfa.amsl.com>; Sun, 6 Dec 2020 18:32:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.619
X-Spam-Level:
X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Uad8UKWm; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=gvIXS/Gw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xHmFCVUwPYTt for <acme@ietfa.amsl.com>; Sun, 6 Dec 2020 18:32:20 -0800 (PST)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39CC53A0603 for <acme@ietf.org>; Sun, 6 Dec 2020 18:32:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=29842; q=dns/txt; s=iport; t=1607308340; x=1608517940; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=VrETPq8kEGnCOYOBKxUqA713OwzkbE7zMRIhzPw18Lg=; b=Uad8UKWmU773tvi2E3qHVJAaYp9rkUrzPWst22FVbANxzOofi41Y2KcF LJkybGt9ReN2soLDq0D0kaDQ7uKKfaielRcgxoZ2kPHTJd7ieQM1m+0Es C/xDkghGzkTEgXmB8LCIah2gjDsp7XsCF8uh5j1JE0F4hy8BizGZ95MK4 c=;
X-IPAS-Result: A0BGAAC/k81fmI9dJa1iGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBgg+BIy9RfFsvLoQ8g0gDjVwDgxeVcYJTA1QLAQEBDQEBGAEMCAIEAQGESgIXgX4CJTgTAgMBAQEDAgMBAQEBBQEBAQIBBgQUAQEBAQEBAQGGNgyFcgEBAQEDAQEQEQoTAQEsCwEPAgEIEQQBAR4DBwMCAgIlCxQJCAEBBA4FCBqDBAGBflcDLgEOoRYCgTyIaXaBMoMEAQEFgTMBAwICg3MYghAJgTiCc4N2hlgbgUE/gRFDglU+gl0BAQIBgUQaKwkIglkzgiyCEQGBFQRRAQEfJg4GAQsLH0cEAQwBFwInkxmHKCidMgqCdIkckkKETp1enRWBZoN6jWkBAYQwAgQCBAUCDgEBBYFDKiGBWXAVO4JpCUcXAg2OIQwOCYNOhRSFRHQCATQCBgEJAQEDCXyMNgEB
IronPort-PHdr: 9a23:K40aCRV4kpz/waFYZqxf2pIije3V8LGuZFwc94YnhrRSc6+q45XlOgnF6O5wiEPSBNyFuelAhufIsubrXmlTqZqCsXVXdptKWldFjMgNhAUvDYaDDlGzN//laSE2XaEgHF9o9n22Kw5ZTcD5YVCBuXm/4CATXB74MFk9KuH8AIWHicOx2qi78IHSZAMdgj27bPtyIRy6oB+XuNMRhN5pK706zV3CpX4bdg==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.78,398,1599523200"; d="scan'208,217";a="626310564"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 07 Dec 2020 02:32:18 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 0B72WIUx018278 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 7 Dec 2020 02:32:18 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 6 Dec 2020 20:32:18 -0600
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 6 Dec 2020 20:32:17 -0600
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Sun, 6 Dec 2020 21:32:17 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VwK1ToIog1b1XTc09p5+pJEWQekcfB3RtE1kIixK2C7QZ+nauT3iC0Rglmk83oCT6jihsunNEzYkL1w9sV+oHujQ3xAIlqnZmRnaeaGcU5TJDR5SUXSk/7pzrl+6m1ocSFjj+7DJ1gOhDR2JYJ3Ou+LQHrCv7d5Br0zEkt7wB1H44X1lTTmk7qXxMBaEZoV3Jjv7QaHXjfBHGf6WnAbJLN6/e3YJsSfsw/5vv+C31PljrfWYRDg0YaUZ+aKtFOBJnnA55Donoao6IeyeY0PZahK6yvr1eTrQnhfWA/YXL48tXyiCLj3fI7JfqPg25duLBOF1fOywIk5hx+mSjSe3Nw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VrETPq8kEGnCOYOBKxUqA713OwzkbE7zMRIhzPw18Lg=; b=JzfwFRMMKMKH8qv7MiFLz11SxLG83+V//n1GqclnjLkTxOxhGEnv5EalsoNBvjNcYXV8+4bYGzPRRTvnLgMgAgq4jnpa1R7bqcOfe1n2490wndVynlIDAPYcppFCfKDOkk5DpJJwsIsRR9bCA58ViqYUguA7i27909+T1mBtipg8fDX62UeRz7O2yo/SluuAZpD87mGov2ZcKl0uJ8QP1NeK4J/oO/xVRKH6zlHIhFgXKm1koqQcNFZtRcahnlMHjCto37DFKdK03/GA1VyW41RWIsYOXU23S1RGCx8ALLtUlaHORvOrjlMd6ejM2WfJAv8XaDdhfRu5FVNoJhzdHQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VrETPq8kEGnCOYOBKxUqA713OwzkbE7zMRIhzPw18Lg=; b=gvIXS/GwemZa8TN5sooY1NViDjDIFYgpJnjiWGFrMJI1QI8B/yE+wfi2qe3qa129LVehGuQUHA0CYjfcgSoijhpVb4ZS6agDn+8WOhIOG83cWgwQ9cypLkYDcdexjtLkZj/IP/6fYWsKCyFjX8ciCX0GS022lgMrThJJWFLVwoE=
Received: from CY4PR11MB1685.namprd11.prod.outlook.com (2603:10b6:903:22::23) by CY4PR11MB1333.namprd11.prod.outlook.com (2603:10b6:903:24::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.17; Mon, 7 Dec 2020 02:32:16 +0000
Received: from CY4PR11MB1685.namprd11.prod.outlook.com ([fe80::3863:4623:7227:8e4e]) by CY4PR11MB1685.namprd11.prod.outlook.com ([fe80::3863:4623:7227:8e4e%10]) with mapi id 15.20.3632.018; Mon, 7 Dec 2020 02:32:16 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: Felipe Gasper <felipe@felipegasper.com>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] acme subdomains open items
Thread-Index: AdbKDfR7ixOYZe4pTaW5GF7P5t9BcQANDzwAAAO4wKAACJMfgABzBLBQ
Date: Mon, 07 Dec 2020 02:32:16 +0000
Message-ID: <CY4PR11MB168593FCC8F11DF836FD12EADBCE0@CY4PR11MB1685.namprd11.prod.outlook.com>
References: <CY4PR11MB168504F6D4CF495E8AE8F729DBF10@CY4PR11MB1685.namprd11.prod.outlook.com> <CA7603D9-DFDA-4FA6-A76C-D4E0E638A956@felipegasper.com> <CY4PR11MB16851AD65ACF736CE6FD55A8DBF10@CY4PR11MB1685.namprd11.prod.outlook.com> <CAErg=HEON6756+_3Lfbe=r=3rxV9gAundvG5mBEEOzsKqL8x3w@mail.gmail.com>
In-Reply-To: <CAErg=HEON6756+_3Lfbe=r=3rxV9gAundvG5mBEEOzsKqL8x3w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: sleevi.com; dkim=none (message not signed) header.d=none;sleevi.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2001:f40:905:5112:966:ab83:7a5f:e960]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 96688316-0668-487b-1c4b-08d89a584ff7
x-ms-traffictypediagnostic: CY4PR11MB1333:
x-microsoft-antispam-prvs: <CY4PR11MB13332960087341DE618E2031DBCE0@CY4PR11MB1333.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Qd0T88UYD7eQ2J51WAq/mN8W/z8CeoFF05cjeCSKQoKQlniZW/aSvuaQVaDCYY/kPBLWURF77KbVFzzQ3WlXN50xfvxFVwtM7Sd943W+L2/ipl/LYwrQWkpIpFT6q+CFglh+wBZqrZTif3PoKvvlS5GwQip8bVDfXIMxC2v1/9k3fupZcIm1tiNkRWBThDkPpl1mm/TLoWoi9+j4oSae9TjxBz1ku2mWLrtVYuPOynG4hsv/mZSAQGehbtUzbUDdJDevajbf+5EbIoAOTc9+apggprC4YqoohBzR+/YSqWpoNIRBxbrC8qh+/H69qsHfehLwbnSQjmPbLnaIdBmnCkPFgX7VQs+AgNOUZaJIl8ovv6hwGqKQZB6uJZwnzsX1kHilPI1jf4EFMyfgILEd7DYNR39kTNCWpsyAg+pVP5Mblak+eRdx5l0WC1LFvWXhr+Lqhw/yt8/xcyizgUECVg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR11MB1685.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(366004)(346002)(39860400002)(376002)(136003)(8676002)(6916009)(7696005)(316002)(66446008)(966005)(83380400001)(66556008)(66476007)(5660300002)(166002)(4326008)(76116006)(66946007)(64756008)(2906002)(6506007)(86362001)(53546011)(52536014)(186003)(55016002)(54906003)(9686003)(478600001)(71200400001)(8936002)(33656002)(336705003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: zvaJteSD6m/Z1ONDidfUzEYgp8dVcPLwEkA5sUW5ijbqKa3KT6f8lerDJw6YfXfcCOnEAcnxd3cEDmE7rX92/K527yms36RBpOq3vLkd0OThb27vcTaHiFxLAqxTx0icAmDAfxGpsezVS+gE+qBEDyUVDBbjo1rpI1L+xFLw31yhUzAYgl73uyoC27O5PoApYhgIUKm065BcsLSJFWrlyIg+wxVo0kKntJ1iwSPunlz/utyvOKFuqF88Cj90tW54I63BzXl0zZ4Wij32IJzl4qkgpf3Z7F+m63tTdAXKw7xkAxj3NnygLMz8Twk42s4z+x50DJK13WZ6K/28Ktd4X5o+YsoRJaz7/+0Z2WNrUtQJ9LEp4j6X92o3gocSlmFVQ8piVtKYYgOjOqhVIY7M3RV8OwOogOZxn9km3g5OQ9+l40TB/OEsWLcrmFhmnsELjYp+gixO/2nbzq2b20JNVWumSTTUc+eOsmotPIGRdjcHbNv8Cpd/YazO1CvuK20wTo8z7Wg99UnmnysezfjjBsq7JuZmrrbu5xk/67W55H/0C09stNsfyROQMZf2SVw6Y/QbAOdXklV3Yn5odwAaLKiSvSflYAMozFkmF035tBFc7WZ5ktHqwid5E+kTu2krRbI0hLMP1KczDwh3roX/Br7bT+qJtlN2Yu+aVOa6T+9caqNnYpiDxPB9fmYeFo1UUi2fYe4F/i7uNEzSXiAyYtvq1XtuiG6jCJz9oaAW39ezD0Hk5o+irBQ7hYgMA6hRDuDqJ1s1aYjcoVsNCEatTFh9hvIbzlCdkT/4TJ6TsqQdFXuVDKLLpbszr9FbxGLuqqPjSm4okOJXdga4NontcHCoTYHj2LHO3+WgeVzZKilVK4/beGq9Id78qU0mEzvhpve+Ta4KzTp6VWePm9Lqglwjy2omK+8hbfTSvHz+aQZPXkgHoohGQaTki0BGDFBtwt0Y/QFB1BTbQK8VM9f7nRwyi8O1j/cm5bzFKEL/CtO/GPrBmGzH9Mg5D41NE4m9mTmPvMtuVofLSDaSIzlHlOnOwOu1MAeyFDUytb2wfSs=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CY4PR11MB168593FCC8F11DF836FD12EADBCE0CY4PR11MB1685namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY4PR11MB1685.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 96688316-0668-487b-1c4b-08d89a584ff7
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Dec 2020 02:32:16.1399 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: //n22mgsfWnKWhYquyX1qkPX6c2S5lbY3L4qbUVD9s2cHUEf0wNSki8y4T0TByCveRekaoeR5mTFry5rCck2rw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR11MB1333
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.13, xch-aln-003.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/7Fov1QEbfSGgQOEfjB77gJn5KCg>
Subject: Re: [Acme] acme subdomains open items
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2020 02:32:23 -0000


From: Ryan Sleevi <ryan-ietf@sleevi.com>
Sent: 05 December 2020 03:27
To: Owen Friel (ofriel) <ofriel@cisco.com>
Cc: Felipe Gasper <felipe@felipegasper.com>; acme@ietf.org
Subject: Re: [Acme] acme subdomains open items

Thanks for bringing it to the list, Owen.

This is something we're trying to lock down in the CA/B Forum, at least with respect to the 'http-01' method, by making it clear that, like tls-alpn-01, it cannot be used as an Authorization Domain Name (i.e. a domain and all of its descendents), only as an FQDN.

So this method primarily is for the 'dns-01' method, which seems to suggest that, at a minimum, the ACME server needs to indicate to the ACME client what modifications it will accept, since the ACME client will need to actually modify the DNS record at the appropriate label. If the server only chooses a single label, then it seems both likely and possible that the server may choose a dns-01 challenge that the client cannot fulfill (e.g. the client can only modify subdomain.example.com<http://subdomain.example.com> and descendents, but the server/CA chooses to challenge against example.com<http://example.com>)

So I *think* it would benefit from having the server be able to issue challenges against several identifiers, and communicate that to the client, which seems to argue "Yes" for your question #2.

[ofriel] Are there any benefits or security advantages in #1 (client giving server options) vs. #2 (server giving client options)? With #2, the client does not have to explicitly divulge any information about its level of domain control. The server gives the client a set of options, and the client decides what to do. Obviously, if it fulfils the challenge against a parent Authorized Domain Name, then it has implicitly indicated control over that domain.

Equally in this scenario, I think you're asking whether or not the client should be able to indicate its capabilities to the ACME server, for selecting appropriate challenges. If a client is using dns-01 and can only modify subdomain.example.com<http://subdomain.example.com>, it doesn't benefit the client at all if the server chooses to also allow example.com<http://example.com>. The question is whether there's a security risk in doing so; that is, should the client be able to affirmatively restrict the server or does it not matter.

[ofriel] Yes, that is exactly what I am getting at. Perhaps the question #1 should be phrased more accurately something like: Does the client need a mechanism to indicate to the server that it is capable of and authorized to fulfil challenges against the requested subdomain FQDN, as well as some or all of the parent Authorized Domain Names (potentially up to and including the Base Domain Name).

TBH I have no thought about the security risk of a client indicating to the server that it has control over parent domains, potentially including the Base Domain Name. What does the CA/B currently think about this?

Does that accurately capture things?

[ofriel] Exactly the questions I am asking.

On Fri, Dec 4, 2020 at 10:25 AM Owen Friel (ofriel) <ofriel=40cisco.com@dmarc.ietf.org<mailto:40cisco.com@dmarc.ietf.org>> wrote:
That is what is currently documented – the server simply picks the one domain that it wants the client to fulfil the challenge against.

That was presented as the current documented approach. And I also presented the open questions if we needed to build flexibility in client request and/or server response. There were no concrete opinions as far as I recall (waiting on the exact minutes) and Rich said to bring the qs to the mailer for further discussion.

Cheers,
Owen


From: Acme <acme-bounces@ietf.org<mailto:acme-bounces@ietf.org>> On Behalf Of Felipe Gasper
Sent: 04 December 2020 21:35
To: Owen Friel (ofriel) <ofriel=40cisco.com@dmarc.ietf.org<mailto:40cisco.com@dmarc.ietf.org>>
Cc: acme@ietf.org<mailto:acme@ietf.org>
Subject: Re: [Acme] acme subdomains open items

I wasn’t part of IETF 109 .. was it discussed simply to give CAs the ability to choose whether it tries authz against parent domains without the client’s requesting it?

This is how our (non-ACME) Sectigo integration works currently, and it suits us well.

-F

On Dec 4, 2020, at 02:23, Owen Friel (ofriel) <ofriel=40cisco.com@dmarc.ietf.org<mailto:ofriel=40cisco.com@dmarc.ietf.org>> wrote:

Hi all,

As recommended by the chairs at IETF109, bring the two open items to the list for discussion. These were raised by Felipe and Ryan previously.

1: Does the client need a mechanism to indicate that they want to authorize a parent domain and not the explicit subdomain identifier? Or a mechanism to indicate that they are happy to authorize against a choice of identifiers?

E.g. for foo1.foo2.bar.example.com<http://foo1.foo2.bar.example.com>, should the client be able to specify anywhere from 1 to 4 identifiers they are willing to fulfil challenges for?

2: Does the server need a mechanism to provide a choice of identifiers to the client and let the client chose which challenge to fulfil?

E.g. for foo1.foo2.bar.example.com<http://foo1.foo2.bar.example.com>, should the server be able to specify anywhere from 1 to 4 identifiers that the client can pick from to fulfil?

Both 1 and 2 require JSON object definition changes. Currently, the document only defines how a client can submit a newOrder / newAuthz for a subdomain, and the server can chose any one parent identifier that it requires a challenge fulfilment on

Owen

https://datatracker.ietf.org/meeting/109/materials/slides-109-acme-subdomains-01

https://tools.ietf.org/html/draft-friel-acme-subdomains-03#section-4

_______________________________________________
Acme mailing list
Acme@ietf.org<mailto:Acme@ietf.org>
https://www.ietf.org/mailman/listinfo/acme
_______________________________________________
Acme mailing list
Acme@ietf.org<mailto:Acme@ietf.org>
https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email