[Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)

"Owen Friel (ofriel)" <ofriel@cisco.com> Fri, 06 December 2019 15:42 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E0761200B1 for <acme@ietfa.amsl.com>; Fri, 6 Dec 2019 07:42:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=MPhg+mDG; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=nfsJTMMR
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L5QG4sJWCOdv for <acme@ietfa.amsl.com>; Fri, 6 Dec 2019 07:42:46 -0800 (PST)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55DD4120020 for <acme@ietf.org>; Fri, 6 Dec 2019 07:42:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5634; q=dns/txt; s=iport; t=1575646966; x=1576856566; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=lnjCRi4XH6SQZZ+yVu85Za7aj1u5WBpk+nJHEI/m/G8=; b=MPhg+mDGiyuYXx0Hcdi7lbkNV/CpLkAYvKT36ilpyW7iWf0nhAuBLyWp Wq0SW0yDZ1/lbmgZu8hhXTaBppuCg+0pxRLKXBOtzVfnurufrm9fQKAn3 8pSfdsNjhJd+8cPbc8DMHRqehA8zu1/RjGdehheNbkZruhfr1h7vxlbwK o=;
IronPort-PHdr: =?us-ascii?q?9a23=3AYx8taRJtiykydeSCCNmcpTVXNCE6p7X5OBIU4Z?= =?us-ascii?q?M7irVIN76u5InmIFeCtKd2lFGcW4Ld5roEkOfQv636EU04qZea+DFnEtRXUg?= =?us-ascii?q?Mdz8AfngguGsmAXEr1Nv/nawQxHd9JUxlu+HToeUU=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DiAwCJdepd/4gNJK1kHAEBAQEBBwE?= =?us-ascii?q?BEQEEBAEBgW0EAQELAYFKUAVsWCAECyoKhCGDRgOKfk6CEZgEgUKBEANUCQE?= =?us-ascii?q?BAQwBARgLCgIBAYRAAheBfiQ3Bg4CAw0BAQQBAQECAQUEbYU3DIVSAQEBAQQ?= =?us-ascii?q?BEAsGEQwBASwMCwYBGQMBAQEDAh8EAwIEJQsUAQgJAQQBEggagwGCRgMuAQI?= =?us-ascii?q?MohQCgTiIYHWBMoJ+AQEFhREYghcDBoEOKAGMFhqBQT+BEUeDCoJkAQECAYE?= =?us-ascii?q?tARIBCRiDDjKCLJAhhXOYOgqCLocfhSeJL4JBh26Pd45KiEGRYgIEAgQFAg4?= =?us-ascii?q?BAQWBaCNncXAVO4JsUBEUjGY4gzuFFIU/dAEBgSaODoEiAYEPAQE?=
X-IronPort-AV: E=Sophos;i="5.69,285,1571702400"; d="scan'208";a="385797438"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 06 Dec 2019 15:42:45 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id xB6Fgjbd025554 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 6 Dec 2019 15:42:45 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 6 Dec 2019 09:42:44 -0600
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 6 Dec 2019 09:42:43 -0600
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 6 Dec 2019 09:42:43 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Kl4H2KssVcHm4JOWasQ6uTjPvVloKqCEGaSCGqYV8aR8vikz0v47d4fV+i63R3ljgJkkGGB78+0prePs9x3uNjuH9RCwo3ognZbQIjDE6XtBXhrfvXVXKIAZvsELnKHkwcO9axi6OJl1LNm/fK9/q1+4AluLqfygeRYoueWEWY/3Ue9lsZOA0J51NEhZM7ea9zv93QJfiFgbIYh8UL3nrYr4UDWexuohaAn9pkcKpr2NXEx4glyIWO/+FJPsuK89wzT6onhAtjidLxR/TeeMocu8fj6NulKwcGc6PBs4okkX02eJA21/bnss/HXDdsSWCdebF9ztqfus3r7/e2ieOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lnjCRi4XH6SQZZ+yVu85Za7aj1u5WBpk+nJHEI/m/G8=; b=k3LZ6o5bVS0xViQYZA8zxcnen07dW3+wlflFM1ovpk3iLuGPSYn3Yj+8yJ0LvNTWbVKQRR693k/MBnos8HrDJ6uUM1nod7kX38mkVvOSeS2jbwTRN0ganuzC11HKomlVQkrTGD8FaX4GhLCOWS5NWD8n7j/L1aqNjez5YB+QTxbVIcpEJb07caigUuwtPD53DDO6ppO7tWFdkOAkxE4x2fohArjZpUoaXdjKc7BQdfV6qn3+hOhTEsJmIfeBe4dYIa0Js67ye+nLzX8nMfkKvZz9Y3xyWjT12d29oG9MtrCtbtMlccj59z4dMQ7HZOMshVdPXi18EaCHl21jQ/cebw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lnjCRi4XH6SQZZ+yVu85Za7aj1u5WBpk+nJHEI/m/G8=; b=nfsJTMMRf65xA5e2LuM4XoARrJXTHSEgmht75uLgDTdj2Ph9eLcoGY/SZBFet7yIHh+Xvf+xckVyI9vO3wTUsC/vIhxf5jdHe2PrN3OMQRiMpaU5mvQCh28HNzsVCelAyQJiqbiu1hH5XoRj75fg44hzxIbS6WKkN7SRc2c9vcQ=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (20.179.150.76) by MN2PR11MB4141.namprd11.prod.outlook.com (20.179.151.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.13; Fri, 6 Dec 2019 15:41:29 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::a0c1:4add:251d:c9a4]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::a0c1:4add:251d:c9a4%7]) with mapi id 15.20.2516.014; Fri, 6 Dec 2019 15:41:29 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: ACME wildcards vs. subdomain authorizations (was RE: [Acme] Call for adoption draft-frield-acme-subdomains)
Thread-Index: AdWsS579tsf1pOZ9TaqIDmQBuWTtXQ==
Date: Fri, 6 Dec 2019 15:41:29 +0000
Message-ID: <MN2PR11MB3901512A25A395E684808FFBDB5F0@MN2PR11MB3901.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [173.38.220.57]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: feff0996-33f8-48f9-ea9f-08d77a62c2ef
x-ms-traffictypediagnostic: MN2PR11MB4141:
x-microsoft-antispam-prvs: <MN2PR11MB4141E7101986264D3C64C4A1DB5F0@MN2PR11MB4141.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0243E5FD68
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(136003)(39860400002)(346002)(376002)(396003)(13464003)(199004)(189003)(66476007)(66946007)(76116006)(66446008)(64756008)(74316002)(81156014)(66556008)(81166006)(9686003)(7696005)(305945005)(186003)(33656002)(2906002)(55016002)(316002)(8676002)(71200400001)(26005)(99286004)(6506007)(966005)(53546011)(86362001)(8936002)(52536014)(102836004)(71190400001)(5660300002)(110136005)(478600001); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4141; H:MN2PR11MB3901.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qrlS+2G0issgO/tvbyOGTnGvFZ9Qr3msUOcdfpUniU4d1DPfqk9864+rZX706dYV6LsphhZlyPbGThGB2uEOe6xtnHHS37jtgeXc6iitbavpd93lPcoCTSX+EnJjORoFlWrd5R5GlyWu6l+X7JNlyfjgYD07AioWpMe1z+zHvUHO4Ab2Jl3qS7MrWpFzSP8PNZWrksMpaxxJU1fPiI5Ajd7XYYfW4lgP7Z7Msi067NPinD4CQDIepOnI18t+mBAePab80r4CFEepSz9Lpe/mFMA3mmKaF4vyK0QsihyaFJIABlG2UUbiZxH5KhdhOhgN7jUq9YJ1+Ek/KccCDT3fyp1NnWZct3xMkkvHBeoetBpwZ5P94uKkw3VVr1MbjYukh6fHYmjI3kxO5U3Zwxd3cBWBkJVwNNDD+/ebbXrCs6fXagZVMiq1sByVOChNmdXqCMvWRQWnByinHAsZv1k5ythxUdcY0sNMa+Q6N5rzbzE4sqICBGnDGI2BbtBhQYxgdnsqqmjRWpjIJ65AhIygUg/kn5ukzLGja3QljIlPRbk=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: feff0996-33f8-48f9-ea9f-08d77a62c2ef
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Dec 2019 15:41:29.1691 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: aU2vep03G9ow52YGUn8v4jIrqYnrsld255tnpobkJtDwdFjMySPtXyWmgSx4W+lwu29y/JHYqyUxRz501Uh9kw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4141
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.13, xch-aln-003.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/G56BB03_sf4vfBThfsJXUEdVuSI>
Subject: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2019 15:42:48 -0000

Any comments on this email on how to explicitly distinguish between wildcard and subdomain authorizations, which hopefully addresses ekr's mic comments.


> -----Original Message-----
> From: Acme <acme-bounces@ietf.org> On Behalf Of Owen Friel (ofriel)
> Sent: 26 November 2019 22:51
> To: Salz, Rich <rsalz@akamai.com>om>; acme@ietf.org
> Subject: Re: [Acme] Call for adoption draft-frield-acme-subdomains
> 
> DNS wildcards are mentioned in 3 sections in RFC8555 (in addition to the IANA
> Considerations section):
> 
> 1. https://tools.ietf.org/html/rfc8555#section-7.1.3 Order Objects:
> 
>    Any identifier of type "dns" in a newOrder request MAY have a
>    wildcard domain name as its value.  A wildcard domain name consists
>    of a single asterisk character followed by a single full stop
>    character ("*.") followed by a domain name as defined for use in the
>    Subject Alternate Name Extension by [RFC5280].  An authorization
>    returned by the server for a wildcard domain name identifier MUST NOT
>    include the asterisk and full stop ("*.") prefix in the authorization
>    identifier value.  The returned authorization MUST include the
>    optional "wildcard" field, with a value of true.
> 
> 2. https://tools.ietf.org/html/rfc8555#section-7.1.4 Authorization Objects:
> 
>    If an
>    authorization object conveys authorization for the base domain of a
>    newOrder DNS identifier containing a wildcard domain name, then the
>    optional authorizations "wildcard" field MUST be present with a value
>    of true.
> 
> 3. https://tools.ietf.org/html/rfc8555#section-7.4.1 Pre-authorization
> 
>    Note that because the identifier in a pre-authorization request is
>    the exact identifier to be included in the authorization object, pre-
>    authorization cannot be used to authorize issuance of certificates
>    containing wildcard domain names.
> 
> For the subdomains use case, it looks as if it makes sense to define a
> "parentdomain" boolean flag (or "basedomainname" or similar) to be included in
> the authorization object for a domain that authorizes subdomain certs. The
> relevant CAB guidelines are quoted in https://tools.ietf.org/html/draft-friel-
> acme-subdomains-00#appendix-A.
> 
> The authorization object would then explicitly indicate that this is a base domain
> authorization and thus subdomain certs may be issued off this. This is
> conceptually similar to the current "wildcard" flag which indicates that a
> wildcard cert may be issued off the identifier in the object, and would
> definitively differentiate wildcard vs. base domain vs. explicit domain
> authorizations.
> 
> Item #3 from section 7.4.1 Pre-authorization is already called out as a
> substantive change from RFC8555: i.e. the identifier in the authorization object
> may be different from the identifier in the newAuthz object.
> 
> > -----Original Message-----
> > From: Acme <acme-bounces@ietf.org> On Behalf Of Salz, Rich
> > Sent: 26 November 2019 21:53
> > To: acme@ietf.org
> > Subject: Re: [Acme] Call for adoption draft-frield-acme-subdomains
> >
> > WRONG.  My mistake.
> >
> > Please discuss this, especially the subdomains/wildcard issues.  This
> > is *NOT* a call for adoption.  We will take this up in Vancouver, IETF 107.
> >
> > From: Rich Salz <mailto:rsalz@akamai.com>
> > Date: Tuesday, November 26, 2019 at 4:51 PM
> > To: "mailto:acme@ietf.org" <mailto:acme@ietf.org>
> > Subject: [Acme] Call for adoption draft-frield-acme-subdomains
> >
> > This email starts a ten-day call for adoption. There was consensus in
> > the room at IETF 106 to adopt this as a working group document. If you
> > disagree with that, or have any other strong feelings, please post to
> > the list before the end of next week.
> > Also discussed was the need for some additional clarity around
> > subdomains and the existing wildcard challenges.
> >
> > Thank you.
> >
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme