Re: [Acme] Indicating scope in DNS validation label
Erik Nygren <erik+ietf@nygren.org> Mon, 27 November 2023 20:47 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC36CC151093; Mon, 27 Nov 2023 12:47:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.406
X-Spam-Level:
X-Spam-Status: No, score=-1.406 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zK3c95QYZ7K3; Mon, 27 Nov 2023 12:47:13 -0800 (PST)
Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99CF1C14CF1E; Mon, 27 Nov 2023 12:47:13 -0800 (PST)
Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-332cc1f176bso3182953f8f.2; Mon, 27 Nov 2023 12:47:13 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701118032; x=1701722832; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vxiWZde/JtbHNEQxl1tLkDAQWe24WnBp3QBrSLZ5kBg=; b=aB/OjKxNYZM1DyH/jtW5SjlSyAMISMDMt50tktJmfujAwsIt7jr3EgnDZBZ3Ku8vMI DI3nk1FG/jI0PlMqQgWHN9noYMLisjKHfoDXFrfpL3JjcwOYf0UT93fjn29LAcLp5z1B CReeVmA1IALcmqreYZ3nWLTl86IxSDx+TS6QClS7lrs2cCm1Hph3lPf2ojCJpd5rVbtI tv42SRlF/zrXbraQJ+DS4zeV4B60oM8tydtkcVODFZHVk6pb4LPFBfwS1h0/PPi+8H2K PT5esDeD4FCwkXq3N03spamLUEmqaIkn7GDNxMWZMJFSvktAVL4EJo/kIoC5NVeEY1mV +xbw==
X-Gm-Message-State: AOJu0YwZVSXq7QKMom1iiGQlWk5iC4HFrI9i/tPQcnIRDnrZZrcTcli1 rea8v+Mn5JZWRPImUXaP32eIU662SL4xTb7L16tj33/O
X-Google-Smtp-Source: AGHT+IGm9HwwYp4DeniYzQWnXwnGrL52pcX75zGsW/rRzwcvd6qu7F+LEnrksANL5I7iyJwE9VQYHnqjiVfWKNO+J1M=
X-Received: by 2002:a5d:594f:0:b0:332:f9e8:ce14 with SMTP id e15-20020a5d594f000000b00332f9e8ce14mr4103382wri.29.1701118031697; Mon, 27 Nov 2023 12:47:11 -0800 (PST)
MIME-Version: 1.0
References: <CAKC-DJib1cE5d=NcJVbv1bO+fXs=5KTrodrHoWkJ3h-ZD1wmpQ@mail.gmail.com> <b46133ac-73ba-45f9-ac22-1d5c4de8e6d8@gmail.com> <CAMEWqGtO3zfnB9TVK-2ozOyhj+ROgjC1QOruckRFaw3ktYTGQg@mail.gmail.com> <e6937847-201c-4762-b323-3f7446caeffb@gmail.com> <CAKC-DJhUTv=hqW3=3ABiRJm5-Nhockc2tiB5TBk2xksToh=Y2g@mail.gmail.com> <CAOG=JUJo_STy4yfTcAtqb_yUfbZZRKFRq=yaSR6WS45BL_vN9w@mail.gmail.com>
In-Reply-To: <CAOG=JUJo_STy4yfTcAtqb_yUfbZZRKFRq=yaSR6WS45BL_vN9w@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Mon, 27 Nov 2023 15:46:59 -0500
Message-ID: <CAKC-DJi=bm7TWAfhoU7yuNFZfNrqo88kXM8k_LsV-w=L+=MDUQ@mail.gmail.com>
To: Amir Omidi <amir@aaomidi.com>
Cc: Seo Suchan <tjtncks@gmail.com>, Q Misell <q@as207960.net>, "acme@ietf.org" <acme@ietf.org>, draft-ietf-dnsop-domain-verification-techniques@ietf.org
Content-Type: multipart/alternative; boundary="000000000000001ccb060b28684f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/9DK9E2ctDNqsiLNuwkpPdt07qiQ>
Subject: Re: [Acme] Indicating scope in DNS validation label
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Nov 2023 20:47:18 -0000
The ability to have differentiated ACLs is actually a big reason to have
the labels differentiated. It is possible to have per-label ACLs and some
systems do support it. With having a single label for both wildcard and
exact it isn't possible to differentiate in an ACL between the wildcard
permissions and the exact permissions. With distinct labels it does become
possible to differentiate in the ACL for an automated flow.
Hopefully most domain validation is either automated flows, or adding a
CNAME to a system that provides automation. That latter case is another
one where being able to have differentiation would help (ie, to know
whether that CNAME allows for wildcards or just exact name issuance).
Erik
On Mon, Nov 27, 2023 at 3:02 PM Amir Omidi <amir@aaomidi.com> wrote:
> Hi! Thank you for suggesting these improvements.
>
> I'm not sure if it makes sense to add this complexity to the level of
> domain validation that happens for ACME.
>
> Main reasons I see for this:
>
>
> - A lot of DNS ACL systems have per-zone ACLing, rather than
> per-label. It's not going to immediately make it easier for someone to gate
> wildcard issuance.
> - CAA records are already able to somewhat mitigate part of this
> problem.
> - The ACME flow is meant for machines to follow both on the client and
> server side. The human-readability of the label arguably decreases the
> security assurances provided by ACME's automated flow.
>
> Looking at the `domain-challenge` part of this:
> https://github.com/enygren/draft-ietf-dnsop-domain-verification-techniques/blob/ec8c2ba87f3129c51347e62ec51073899a404a45/draft-ietf-dnsop-domain-verification-techniques.md#scope-indication-scope-indication.
> I feel like this introduces another potential security gap.
>
> For example, what happens if I do a domain challenge for `com.`, or
> `co.uk.`. This is a pretty broad level of domain validation that doesn't
> necessarily follow the hierarchical changes in DNS.
>
> While these changes may make sense in human based flows (e.g, validating a
> domain for a social media network) - I don't think they're the right
> solution for automated flows.
>
> On Sun, Nov 12, 2023 at 8:47 AM Erik Nygren <erik+ietf@nygren.org> wrote:
>
>> CAA can help, but agreed that it's a blunt tool and only part of the
>> ecosystem.
>>
>> it would be preferable to differentiate within the DV record being added
>> to the zone,
>> especially as there could be cases where both an exact cert and a
>> wildcard cert may
>> be desirable for a zone. The DNS operator of the zone (or any automation
>> framework that authorizes access) which is adding the record should
>> preferably
>> be able to distinguish what name(s) is/are being validated. Including
>> this
>> in the ACME label name would give zone operators better control.
>>
>> This would enable CA operators to give better controls to their customers
>> so would not be in conflict with the MAY in the BR. (Although if we had
>> a better
>> ecosystem here it might make sense to tighten the BR at some point.)
>> In the interim, CAA along with such a differentiation could be used
>> by zone operators to limit allowed CAs to only those who support this
>> differentiation feature, which is the scope/intent of CAA.
>>
>> Erik
>>
>>
>>
>>
>>
>> On Wed, Oct 4, 2023 at 4:46 AM Seo Suchan <tjtncks@gmail.com> wrote:
>>
>>> while it's blunt tool current CAA issuewild record with whiltelist
>>> accounturi would able to do that, as issuewild overides issue.
>>> 2023-10-04 오후 4:59에 Q Misell 이(가) 쓴 글:
>>>
>>> Regardless of the inclusion of that paragraph in the BR I still think it
>>> would be worthwhile to be able to limit a DNS based validation to not
>>> issuing wildcards, should an admin so desire.
>>> ------------------------------
>>>
>>> Any statements contained in this email are personal to the author and
>>> are not necessarily the statements of the company unless specifically
>>> stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan
>>> Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company
>>> registered in Wales under № 12417574
>>> <https://e.as207960.net/w4bdyj/Tuxjr0hL>, LEI 875500FXNCJPAPF3PD10. ICO
>>> register №: ZA782876 <https://e.as207960.net/w4bdyj/w06IBwih>. UK VAT
>>> №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South
>>> Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office
>>> at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading
>>> as Glauca Digital, is a company registered in Estonia under № 16755226.
>>> Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are
>>> registered trademarks in the UK, under № UK00003718474 and № UK00003718468,
>>> respectively.
>>>
>>>
>>> On Tue, 3 Oct 2023 at 20:04, Seo Suchan <tjtncks@gmail.com> wrote:
>>>
>>>> Because CA/B baseline DNS Change auth have this paragraph, I think DNS
>>>> admin should consider any DNS record there to be valid for wildcard.
>>>>
>>>> Note: Once the FQDN has been validated using this method, the CA MAY
>>>> also issue Certificates for
>>>> other FQDNs that end with all the Domain Labels of the validated FQDN.
>>>> This method is suitable
>>>> for validating Wildcard Domain Names.
>>>>
>>>>
>>>> 2023-10-03 오후 10:31에 Erik Nygren 이(가) 쓴 글:
>>>>
>>>> Within draft-ietf-dnsop-domain-verification-techniques
>>>> <https://e.as207960.net/w4bdyj/KvYIoLDG> there is considerable
>>>> discussion about the risks associated with DNS DCV records (such as ACME
>>>> DNS-01) not being clear in the record about whether the scope applies to
>>>> just a single hostname (example.com
>>>> <https://e.as207960.net/w4bdyj/qLxR85iE>) or to a wildcard (*.
>>>> example.com <https://e.as207960.net/w4bdyj/tcl3DZPh>). While DNS-01
>>>> has this within the token, the DNS TXT record itself only includes a hash
>>>> of the token making this hard for a DNS admin to validate.
>>>>
>>>> We have a proposed change to use distinct labels for different scopes.
>>>> For example:
>>>>
>>>> * "`_acme-host-challenge.example.com
>>>> <https://e.as207960.net/w4bdyj/JpqJjdxE>`" applies only to the
>>>> specific host name of "example.com
>>>> <https://e.as207960.net/w4bdyj/oHE7qkwz>" and not to anything
>>>> underneath it.
>>>> * "`_acme-wildcard-challenge.example.com
>>>> <https://e.as207960.net/w4bdyj/xVMcJdIL>`" applies to all host names
>>>> at the level immediately underneath "example.com
>>>> <https://e.as207960.net/w4bdyj/K9ajyGUJ>". For example, it would apply
>>>> to "foo.example.com <https://e.as207960.net/w4bdyj/t7IJuCyq>" but not "
>>>> example.com <https://e.as207960.net/w4bdyj/zyBITmRO>" nor "
>>>> quux.bar.example.com <https://e.as207960.net/w4bdyj/wvu0juZp>". In
>>>> the ACME context this would be for *.example.com
>>>> <https://e.as207960.net/w4bdyj/oirLEOAx>.
>>>>
>>>> Pull request for this is here:
>>>>
>>>> <http://goog_1991325217>
>>>>
>>>> https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/90/files
>>>> <https://e.as207960.net/w4bdyj/awm4ssbi>
>>>>
>>>> What is the sense of the ACME WG on if this would make sense? Roll-out
>>>> would presumably take quite some time so both would need to keep working.
>>>>
>>>> I'd suggest that it may make sense to incorporate as part of
>>>> draft-ietf-acme-dns-account-challenge since the roll-out for both would
>>>> likely follow a similar pattern. In that case I'd proposed that we'd
>>>> replace the "-account" in that draft with a specification to use either
>>>> "-host" or "-wildcard" depending on scope. (That might also mean expanding
>>>> the title of that draft.)
>>>>
>>>> There's also a scope of the domain and its subdomains, covering
>>>> example.com <https://e.as207960.net/w4bdyj/LVqv0vTq>, *.example.com
>>>> <https://e.as207960.net/w4bdyj/cV3n3pfP>, *.*.example.com
>>>> <https://e.as207960.net/w4bdyj/xHJHAQvD>, *.{...}.example.com
>>>> <https://e.as207960.net/w4bdyj/gnFjNtwj>, etc, but this isn't
>>>> something specified by ACME due to the semantics of wilcards X509 certs.
>>>>
>>>> Erik
>>>>
>>>>
>>>> _______________________________________________
>>>>
>>>> Acme mailing list
>>>> Acme@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/acme <https://e.as207960.net/w4bdyj/eLTGHv1V>
>>>>
>>>> _______________________________________________
>>>> Acme mailing list
>>>> Acme@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/acme
>>>> <https://e.as207960.net/w4bdyj/cbz6pd9N>
>>>>
>>> _______________________________________________
>>> Acme mailing list
>>> Acme@ietf.org
>>> https://www.ietf.org/mailman/listinfo/acme
>>>
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
>>
>
- [Acme] Indicating scope in DNS validation label Erik Nygren
- Re: [Acme] Indicating scope in DNS validation lab… Seo Suchan
- Re: [Acme] Indicating scope in DNS validation lab… Seo Suchan
- Re: [Acme] Indicating scope in DNS validation lab… Q Misell
- Re: [Acme] Indicating scope in DNS validation lab… Erik Nygren
- Re: [Acme] Indicating scope in DNS validation lab… Amir Omidi
- Re: [Acme] Indicating scope in DNS validation lab… Erik Nygren