[Acme] ACME subdomains

Felipe Gasper <felipe@felipegasper.com> Tue, 04 August 2020 23:41 UTC

Return-Path: <felipe@felipegasper.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40F6F3A11E0 for <acme@ietfa.amsl.com>; Tue, 4 Aug 2020 16:41:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=felipegasper.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AGzEom6uZqcF for <acme@ietfa.amsl.com>; Tue, 4 Aug 2020 16:41:04 -0700 (PDT)
Received: from web1.siteocity.com (web1.siteocity.com [67.227.147.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 727353A115D for <acme@ietf.org>; Tue, 4 Aug 2020 16:41:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=felipegasper.com; s=default; h=To:Message-Id:Subject:Date:Mime-Version:From :Content-Transfer-Encoding:Content-Type:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=dlqeOMlOI3FixBZcmPyd2D0jLWlvAukCJjenZFpoTSI=; b=WxQhJB9XrSVYqAEwZJdNp27guX n/xemXaun2uYh24/dJ0WdOPBqpiYicjiIhUO956nGmrcM9pVciQ1RgTBEVtKBgVwM+AyZHqv7libZ am+sdnURIoVJ3XbkZpjenzitYQ0XiHIMKP7rNlRKNy6NT8E3nD4ZHxV8Ufg76rrLAUJWBN/rbCJxC rjxI6qODpbu2TisdqAZlHO9nLA/BmU370FBWl2nuyjK8vZRG0L7EWTuNwclKCWa5BittWmYNUuEjg HhsbjhwjuBMzp+ZsK8A7QSfW+ylDKO+p3pLBpTf+55ovunBQBuZlD/OWGwWQK+dAOvsL7nQyryEfQ pdLK3OVg==;
Received: from [172.58.110.238] (port=55481 helo=[162.164.208.117]) by web1.siteocity.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <felipe@felipegasper.com>) id 1k36YH-00AbnV-Ui for acme@ietf.org; Tue, 04 Aug 2020 18:41:02 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail-4F7E8327-56C6-41EE-9624-03AC3843E1EA"
Content-Transfer-Encoding: 7bit
From: Felipe Gasper <felipe@felipegasper.com>
Mime-Version: 1.0 (1.0)
Date: Tue, 04 Aug 2020 19:40:58 -0400
Message-Id: <AC488DAF-A24F-4B1A-9192-7ACD75F7EF48@felipegasper.com>
To: acme@ietf.org
X-Mailer: iPhone Mail (17F80)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - web1.siteocity.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - felipegasper.com
X-Get-Message-Sender-Via: web1.siteocity.com: authenticated_id: fgasper/from_h
X-Authenticated-Sender: web1.siteocity.com: felipe@felipegasper.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/7JezjVtcdLXZIR3B1vy4DGlynBc>
Subject: [Acme] ACME subdomains
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2020 23:41:08 -0000

As regards https://tools.ietf.org/html/draft-friel-acme-subdomains-02 ...

Is the idea that the client will, if requesting authz on sub.example.com, *only* be able to do authz against the parent domain (example.com)?

It would seem advantageous—from the client’s perspective, anyway—to allow a workflow where the client can do authz against one or the other. For longer subdomains, e.g., foo.bar.example.com, likewise, ideally the domain itself or either parent domain would work.

Was this considered and deemed infeasible?

Thank you!

-Felipe Gasper