Re: [Acme] Directory metadata; wildcard support; conditional authz creation

Hugo Landau <> Sun, 31 January 2016 08:40 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4AF2D1A90D0 for <>; Sun, 31 Jan 2016 00:40:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.497
X-Spam-Status: No, score=0.497 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_62=0.6, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2Bi2T4nP-aGn for <>; Sun, 31 Jan 2016 00:40:05 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6272C1A90CE for <>; Sun, 31 Jan 2016 00:40:05 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 77C961C60D; Sun, 31 Jan 2016 09:40:03 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; h= user-agent:in-reply-to:content-disposition:content-type :content-type:mime-version:references:message-id:subject:subject :from:from:date:date:received:received; s=mimas; t=1454229603; x=1472418964; bh=4t542MkNHnx8bu/BxzhE20B49eNbCkp8QC0jM9cy1dc=; b= TP2FT2BBuGfZtsdV8ioSzSVpV4Hm6MspjwL/OW5UFIFEONdRFolVQ4uRdsFjPP7s Qeb4O37gurr66f2XR1JAb7pmCF1r2D6b5MKXRdLLuUnsZUuCPODFRNTXnrXk9Qq8 FNZqxGfxDT1Io/nzIBCOqtIFuPuna3ClBBomvbvFjrJiqWpsS5GpVkBZnhdCf76D W2wXdJYVdbtaoFyoWT8SSiqK4dkUdVO5+/dA1Qm+xmkTj+RRaQ0qLiZs3Ncc32f0 ofYQNPjRdIJ5xXTtl9jF2R9alWNryPUSIAnjt+ZQDdi29c0u9Wr93pELdxhjinix zrQrtM+mhMWDcP7gBBMvXg==
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with LMTP id 0a1pL52hReob; Sun, 31 Jan 2016 09:40:03 +0100 (CET)
Received: from andover (localhost []) by (Postfix) with SMTP id 40BBF1C083; Sun, 31 Jan 2016 09:40:03 +0100 (CET)
Date: Sun, 31 Jan 2016 08:40:03 +0000
From: Hugo Landau <>
To: Andrew Ayer <>
Message-ID: <20160131084003.GA26421@andover>
References: <20160131033925.GA29713@andover> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <>
Subject: Re: [Acme] Directory metadata; wildcard support; conditional authz creation
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 31 Jan 2016 08:40:07 -0000

On Sat, Jan 30, 2016 at 09:26:24PM -0800, Andrew Ayer wrote:
> On Sun, 31 Jan 2016 03:39:25 +0000
> Hugo Landau <> wrote:
> > A proposed scheme for wildcard support.
> > <>
> 1. I don't think ACME should support wildcard characters anywhere but
> the leftmost label.  RFC6125 says TLS clients SHOULD NOT match wildcards
> in other labels, and in practice neither clients nor CAs support them.
> 2. The validation mechanism is insecure when a domain allows
> users to register arbitrary sub-domains and host content on them
> (e.g., Amazon S3).  For example, if I create a wildcard
> authz for *, the server will issue challenges for some
> random sub-domains (e.g.,
>  I can go register those
> sub-domains at (since the sub-domain labels have high entropy,
> they will be available with high probability), complete the challenges,
> and then be authorized for all of *  To fix this, the server
> should also require I complete a challenge for the "underlying"
> identifier ( in this example).
> 3. It's not specified how the server communicates to the
> client what sub-domains need to be validated.
You misunderstand, perhaps I should clarify the wording; the server
never tells. You don't get to know the random subdomains it requests.
This ensures that the wildcard exists and is under control.

Adding a requirement for base domain control would be fine but I don't
see the need.

> I suggest that the HTTP, DNS, and TLS SNI challenge objects be extended
> to include a "hostname" field, which specifies the hostname under which
> the challenge must be completed. The server can then make use of the
> existing combinations mechanism to require the client complete
> challenges under several sub-domains.
> Perhaps ACME shouldn't even specify how wildcard identifiers are
> validated, but leave it as a matter of CA policy.  Some CAs might be
> fine only requiring a challenge on the underlying domain (which is how
> some CAs currently validate wildcard certs), while others would require
> challenges on random sub-domains.  The policy might even be different
> depending on challenge type: the CA might accept either a single DNS
> challenge on the underlying domain, or a combination of HTTP challenges
> on the underlying domain and several random sub-domains.
This might be a good idea.

> -- Andrew