IETF Logo Mail Archive

Re: [Acme] Fwd: New Version Notification for draft-ietf-acme-star-delegation-01.txt

Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 10 October 2019 21:24 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C518120142 for <acme@ietfa.amsl.com>; Thu, 10 Oct 2019 14:24:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.995
X-Spam-Level:
X-Spam-Status: No, score=-1.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MALFORMED_FREEMAIL=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pm0ZH3-ZS91L for <acme@ietfa.amsl.com>; Thu, 10 Oct 2019 14:24:41 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7568120125 for <acme@ietf.org>; Thu, 10 Oct 2019 14:24:40 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id r9so6797940edl.10 for <acme@ietf.org>; Thu, 10 Oct 2019 14:24:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=0fh6siXKNxujUDhHqLPavPEPtyPb8YBFNjhD3Cb54jE=; b=C7d3OYk2r6gJNSnuvqVzhlRKmV073ojQbD6LEOEkl6rAg21yPTVWyAV4/vXhVM0HHG KDB0QzUf+2CYvQ6xupL4XPC5+c0cA3HAtON/ldUo28WQi4Xl0+Rb80n8iJWfs5qzH2XI vxpz3Ex85SaTZRY5FzoIAYiCzYYnoTM9TmPRlbwsF0Z7t8NGcIcGGy56+9DREj3nqLCP cVvOJVijml2kTti2gWOeV0lG8Zh7CP/6dZwoRj11/fLu3ypauv6KTSnyzaPf4WFTEbaX SI6/hHS6wNrvHx/kCrO2e6/Cn2akWlNZUmkeERoPXPYSlI4oM/e5YtiiXHh0Xii4fa6I DIQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=0fh6siXKNxujUDhHqLPavPEPtyPb8YBFNjhD3Cb54jE=; b=bWRFxBIMJ+wgSaP6/VDIRxugobB8FuFn0mSUtRnUnigWwDH9KE/4tVwmMNgylbaFH/ lijWmG3nRRXETiEP1OaH/1SlJkvRZiTFvooLGtW7JBKXo3agWiUssbpjSlI1J/cAKc/r mbpjJ39rDq5tjIpVmkqZ7+5cKP8eppwMbwHcU7pNZZN6l41yzV5msZ8WBd0Iq+AZ/nQy cywyieYQoi1pGpqwZwRl7rOUxBeA84T2fhUuIhYED+sWI7X83EblaugBdRxlVppD6o+a iJlvvRrLBV86ixbdt9C4IYgXKPktKOvEjx+M7WvKjGheAyehi8DWIEa5qTYMLOK0gbAa FBew==
X-Gm-Message-State: APjAAAU/vSrT9IzhGKxOQofzUfTIV0J/z/+gROmcpwlfEwlP6j0hpXty SeujTQetC6NSHVIO6FELxIk=
X-Google-Smtp-Source: APXvYqyP0ia9pSQLpt/yKGXGNof5gOJYS+Ir/xeFdWySrFcjVv4Rm9th3ETKZBRES9GHJYzE7O45sA==
X-Received: by 2002:aa7:c652:: with SMTP id z18mr10207044edr.150.1570742679423; Thu, 10 Oct 2019 14:24:39 -0700 (PDT)
Received: from [172.26.115.116] (pub-corp-lcz-8.intuit.com. [207.207.160.8]) by smtp.gmail.com with ESMTPSA id e13sm817573eje.52.2019.10.10.14.24.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 10 Oct 2019 14:24:38 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/10.1d.0.190908
Date: Fri, 11 Oct 2019 00:24:33 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: Thomas Fossati <Thomas.Fossati@arm.com>, "acme@ietf.org" <acme@ietf.org>
Message-ID: <04D1B1F4-9C64-4D27-BD67-F27105D2FC23@gmail.com>
Thread-Topic: [Acme] Fwd: New Version Notification for draft-ietf-acme-star-delegation-01.txt
References: <156688663499.2633.13348873823926960427.idtracker@ietfa.amsl.com> <0d62ec19-399c-94e7-a44a-098ccf99bc7e@gmail.com> <CAErg=HFekDDOu0SPe171NJuXpCDUkiyV7_9bQMDz1GquXPoUiA@mail.gmail.com> <3FE5BE45-EB69-429E-A4DB-7B7838DC0AFE@arm.com> <AFD56CB0-0001-4FDC-9D2B-25A127E27BB8@gmail.com> <CAErg=HF+fH62x+28-J8dcd8NtD6svL51sg_hXnNpH-2Ea=8iCA@mail.gmail.com>
In-Reply-To: <CAErg=HF+fH62x+28-J8dcd8NtD6svL51sg_hXnNpH-2Ea=8iCA@mail.gmail.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3653598277_138824285"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/7tLJNSN2QO8pnbt7zF2AYWXhXN8>
Subject: Re: [Acme] Fwd: New Version Notification for draft-ietf-acme-star-delegation-01.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Oct 2019 21:24:44 -0000

Agree on both points.

 

From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Thursday, 10 October 2019 at 18:16
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: Thomas Fossati <Thomas.Fossati@arm.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Fwd: New Version Notification for draft-ietf-acme-star-delegation-01.txt

 

 

 

On Thu, Oct 10, 2019 at 5:22 AM Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

I am wondering though about this sentence: A CA can "also offer additional validation methods/issuance flows which also use the "dns-01" method." Doesn't specifying "dns-01" restrict the CA to one particular validation/authorization flow?

 

No.

 

There's a gap in the assumption here, which is that the CA MUST support draft-ietf-acme-caa, which is not specified, and were it specified, runs into the set of issues covered in https://tools.ietf.org/html/draft-ietf-acme-caa-10#section-5 

 

However, setting that aside, the dns-01 validation method alone doesn't restrict the issuance pattern to just being STAR, which is the assertion "To restrict certificate delegation only to the protocol defined here:"

v2.23.0 | Report a Bug | By Email