[Acme] scope in dns-account-01 and dns-02 challenge
Jacob Hoffman-Andrews <jsha@letsencrypt.org> Mon, 18 March 2024 23:03 UTC
Return-Path: <jsha@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C1CAC14CE2E for <acme@ietfa.amsl.com>; Mon, 18 Mar 2024 16:03:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DiZetRM4_l5w for <acme@ietfa.amsl.com>; Mon, 18 Mar 2024 16:03:33 -0700 (PDT)
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAE16C1D61EA for <acme@ietf.org>; Mon, 18 Mar 2024 16:03:33 -0700 (PDT)
Received: by mail-yb1-xb2c.google.com with SMTP id 3f1490d57ef6-dc6cbe1ac75so3815089276.1 for <acme@ietf.org>; Mon, 18 Mar 2024 16:03:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; t=1710803013; x=1711407813; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=fIx1JPNAL0YDSZ/Wvf+pj/tD/7frOGur1NujRIcupgM=; b=XNH1KhAvxbcq+9597PkpOEuw/C4nmB/jbnzmaFGxe+vquZQhadgmnNGUwDGdpQhzQk OWFOXp4FxYIjwpXSg7zUHK0vJ8Y2fejHZywNR70PQ7waXPm9Iz4YXOrootpSLFfCPEAK SFaTTddrKaB7SCQ4e2sr3veXkxexY7sWhZrDA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710803013; x=1711407813; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=fIx1JPNAL0YDSZ/Wvf+pj/tD/7frOGur1NujRIcupgM=; b=BiWH0+hz7HR+n+LtRcybWYuL5ljPKrkPWqEa0u1M1j4p2VVG7EVu/b3olLfX0wLCEt pkmsYvjjwbCj/goKEZVyeBnaQgbE9mEiWhS8bl8s4RaTJKm3IqqNdZ/yx2VbTn0lKuhI Ggj/dg8RZlnwLlBYi1RBP3PuOHeGhNrWOYsnFYpeHob84aNZFF4qIjZzZndY8j0TOO8V lwI+hvHe4Z0KX826IesYt/4Dfrz+os9oJ/xGzZ6sazX+cE3a9aC3O65KCNOHmX1px6cx JaJg5DD74+RFCWGionM3qNvBKKHvzKUjdJESAnB633Nlf4BdOtqXoEE/cyWLxZ+VjNZe /l6w==
X-Gm-Message-State: AOJu0YzmKBY/+JxEiVs4j3syFmkfEAKUDdtN+ualURFm7TxaRxmWP2Sf Z8iCaNAZ4XyGlCtoP6zjE5uZynMZydTTLGhDTt8/BAanpBEWjoTLzRJUvYlL0FrvS1a2TiP3HI0 1RBKxvfOtXUrp2Fbi7wkbOkqho5MNlsUdVyTm0iTktorF8qhOEhg=
X-Google-Smtp-Source: AGHT+IE8A1y8LV9/toSH3qPCjI0uD6s9BjC/7IN0JQ4QTZ8oTU8R0dL2fsmu/oUy77Ig52YeflwziDnjfTMwf5E8Ess=
X-Received: by 2002:a25:f210:0:b0:dc6:16b7:7d6f with SMTP id i16-20020a25f210000000b00dc616b77d6fmr727983ybe.10.1710803012713; Mon, 18 Mar 2024 16:03:32 -0700 (PDT)
MIME-Version: 1.0
From: Jacob Hoffman-Andrews <jsha@letsencrypt.org>
Date: Mon, 18 Mar 2024 16:03:07 -0700
Message-ID: <CAN3x4QkK6dFnoo0wfyCBf9_beuQf+Og9+EhoeYvMUbFaoGw8zw@mail.gmail.com>
To: acme@ietf.org
Content-Type: multipart/alternative; boundary="000000000000daa3040613f75d10"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/FXBi9B2Q1i7eGUpqJmAeWKhcVIQ>
Subject: [Acme] scope in dns-account-01 and dns-02 challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 23:03:37 -0000
Thanks, authors, for the updates in https://datatracker.ietf.org/doc/html/draft-ietf-acme-scoped-dns-challenges-00 . Adding a "scope" (host, wildcard, or subdomain) to the DNS record name is great. Reading the draft, I think it doesn't specify how the scope for a given challenge is decided and communicated. Three ideas: 1. Server picks, and tells the client. The challenge object contains a "scope" field. The client verifies that the indicated scope is one of "host", "wildcard", or "subdomain", and is less than the maximal scope the client is willing to validate for. For instance, a client might be configured to only accept "host" scope. 2. Client picks. When the client POSTs to the challenge URL, instead of sending the empty object {}, it sends {"scope": "host"}, {"scope": "wildcard"}, or {"scope": "domain"}. The server verifies that the request scope is sufficient for the authorization object (i.e. "wildcard" or above for an authorization object that can be used to issue for a wildcard name), then performs the validation. 3. Server offers options via challenge types We explode out the challenge types from two to six: dns-host-02 dns-wildcard-02 dns-domain-02 dns-account-host-01 dns-account-wildcard-01 dns-account-domain-01 The server populates the authorization object with only those challenge types that are acceptable. For instance, if the authorization object can be used to issue for a wildcard name, the server would not offer dns-host-02 or dns-account-host-01. I like this option the best because it provides cleaner separation, and uses the design of ACME nicely: servers offer appropriate challenges, and clients pick the challenge that works best for them. Also it allows for clean implementation in the BRs: they could specify by name which challenge types are allowed to issue for wildcards. Of course, it feels messy to define so many challenge types. Perhaps we could eliminate the dns-02 family? The idea being that clients and servers that wish to adopt the modern best practices from https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/, they can also adopt the account-scoping features of the dns-account-01 family, which are not burdensome.
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Seo Suchan
- [Acme] scope in dns-account-01 and dns-02 challen… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara