Re: [Acme] ACME subdomains

"Owen Friel (ofriel)" <ofriel@cisco.com> Thu, 03 September 2020 03:10 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B10573A0C53 for <acme@ietfa.amsl.com>; Wed, 2 Sep 2020 20:10:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=bVcstr9m; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=F2YEt1N/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ONAvmavdsfzY for <acme@ietfa.amsl.com>; Wed, 2 Sep 2020 20:10:12 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 336633A0A52 for <acme@ietf.org>; Wed, 2 Sep 2020 20:10:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=32576; q=dns/txt; s=iport; t=1599102612; x=1600312212; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=SPxn4WO092du0PeQMoKd4QDTJDyzNG9SX5wxI/m37OY=; b=bVcstr9mMoFiil6iJ2VpcBE4O1EBPgCfyGs7yhd7CKSHMf2YRVMWkpeh A2iXAOABgcOyr0jJn2Oh93XYm41wK03Xqs1jU1VHmgl5RDue0R3RbHS8A E6EJoarhLPhLcgczyzHQpA06Ebxh3V/hm8pB5DjesFGHO1F7arMFYRT9C g=;
X-IPAS-Result: A0BDCAAbXlBf/5FdJa1gHQEBAQEJARIBBQUBggqBIy9RB3BYLywKhC6DRgONeJhxglMDVQsBAQEMAQEjCgIEAQGESwIXggwCJDgTAgMBAQEDAgMBAQEBBQEBAQIBBgRthVwMhXIBAQEEEhEKEwEBNwEPAgEIEQQBASEKAgICMB0IAgQOBQgagwWBfk0DLgEOpSICgTmIYXaBMoMBAQEFgTMBhB0YghAJgTiCcYNnhlAbgUE/gRFDgk0+hCUaPIJZM4ItkxuGapxpCoJliGiRa4QwnCabR4FYg2iRIQIEAgQFAg4BAQWBayOBV3AVgyQJRxcCDY4fDBeDToUUhUJ0AjUCBgEJAQEDCXyOZQGBEAEB
IronPort-PHdr: 9a23:TbRU8hcxXSZBOKp/0Sd+yX4DlGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwaQA9fA7/9JleuQuKflCiQM4peE5XYFdpEEFxoIkt4fkAFoBsmZQVb6I/jnY21ffoxCWVZp8mv9PR1TH8DzNEbWr3Cs7HgZHRCsfQZwL/7+T4jVicn/3uuu+prVNgNPgjf1Yb57IBis6wvLscxDiop5IaF3wRzM8XY=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.76,385,1592870400"; d="scan'208,217";a="526641709"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Sep 2020 03:10:10 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by rcdn-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id 0833AA6O013093 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 3 Sep 2020 03:10:10 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 2 Sep 2020 22:10:10 -0500
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 2 Sep 2020 22:10:10 -0500
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 2 Sep 2020 22:10:09 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YJK+5mBu+5N3oWqYFkqF+xHMCmhBDAbm4x7NNP905KE0VSLY5HEuGUl2/nU01zPudxGcoKY8/LQtCnFTA2VlN2f1KoFfb4hNIKnKTTUZO7Z/plE29K5G9p5K7cKmgjUlWlUG7b3y5uKnSY9Y/3aAQiPCIyz3p7eJg7G9Jvt9dNaGRrCHa34x+W/XsSdk08JZ+GhcucIAkC4O3tqe3rVu9x/vgEZ8u0yZhV3/hPI8j4v0O8MThTitmrFdxfXA7v0bhf8eavqL0XV7xv8tg1VkNXKwWdMaQWwvFeHOnYO05k7/vLY9s60aAQxfTUsalhwktQ+JXS0j79H3mVzSnMo93A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SPxn4WO092du0PeQMoKd4QDTJDyzNG9SX5wxI/m37OY=; b=jrUX3W4vBmm6RvdXt71D4xProENVlPBO/qXVFlxk1tO2eol8pXY++QMu4KJsZXYBz/x4k03V1ZPT6RDZMC4r0DHtt8WM7HZtrXlCQTF7HqF2T5VFaZbHT/dbAfjgB89eKJFpBxxxGt/YadiGphEmmZ5Z4UDNTMwSdOdbPl969nlAO8QjITtWaamNC8xEF7my5oQui3iCsr7ML77vgZX2F808jiV0wTwJd5C4zmgmtDgsl6oewhmm58QnhLHW4B0g+iiGBjluVzO86ueuekGtM+IkWVqlkeKxn7ba0yhr2s8B7BAJZWqskMFg49J5i1ammSBDGimQ+u/2H2zzVY70pg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SPxn4WO092du0PeQMoKd4QDTJDyzNG9SX5wxI/m37OY=; b=F2YEt1N/yM8thijng4iwOWX7mNENyGkdS+c3zeSUFOqu9Q6RDaMZNN1QlZE839Fm4Wa+K8Xj0JTJOFayzx6NKeyLR3G89AbwnbrUhEBDLrZNTlOXupIqXbLs+Xb6hkycDGn9WAsB9b2E3Fl89ATS0Cy/fib/470aqQIPTZpVLbU=
Received: from CY4PR11MB1685.namprd11.prod.outlook.com (2603:10b6:903:22::23) by CY4PR11MB1862.namprd11.prod.outlook.com (2603:10b6:903:124::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.15; Thu, 3 Sep 2020 03:10:08 +0000
Received: from CY4PR11MB1685.namprd11.prod.outlook.com ([fe80::acba:ff73:21ab:6c5d]) by CY4PR11MB1685.namprd11.prod.outlook.com ([fe80::acba:ff73:21ab:6c5d%3]) with mapi id 15.20.3326.025; Thu, 3 Sep 2020 03:10:08 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: Felipe Gasper <felipe@felipegasper.com>, Jacob Hoffman-Andrews <jsha@letsencrypt.org>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] ACME subdomains
Thread-Index: AQHWarjBjwSE29GuLUOCVs6lLUQppKkonzQAgCyVmzCAAGthgIAAwjOg
Date: Thu, 03 Sep 2020 03:10:08 +0000
Message-ID: <CY4PR11MB16855F30DC87D1CA85396D55DB2C0@CY4PR11MB1685.namprd11.prod.outlook.com>
References: <AC488DAF-A24F-4B1A-9192-7ACD75F7EF48@felipegasper.com> <CAN3x4QmGDGGbeVXhH9NjMwSRLi97XX+di2tUAO0kNLyfCNABUA@mail.gmail.com> <CY4PR11MB16854D2F1B8E271BB8ABF7BDDB2F0@CY4PR11MB1685.namprd11.prod.outlook.com> <CAErg=HE+0WDTNVCZBnxPP_Mdh_w4LCxc0MOp6ZeMFBt_x5BncA@mail.gmail.com>
In-Reply-To: <CAErg=HE+0WDTNVCZBnxPP_Mdh_w4LCxc0MOp6ZeMFBt_x5BncA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: sleevi.com; dkim=none (message not signed) header.d=none;sleevi.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.39.121.92]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d888722d-e094-45ff-e9f9-08d84fb6dd39
x-ms-traffictypediagnostic: CY4PR11MB1862:
x-microsoft-antispam-prvs: <CY4PR11MB18622E9EFB76EA78210B1532DB2C0@CY4PR11MB1862.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uucG1IojsbO7yvSPWuTkFXdZCXGS/6MS28+gN4mwkTn/94XiT1/E4CTd+hX18RrOOaEUKOH3vcwKZEEf8Xv0NmYIXqC/V9v4EKB0bFct7MmEqbBoL72ZSMCvONgC41OOD1E2uz/6SJ4JcOvKBLoOfTdUxWmR7ee4jFl/E4S+UsBNwYkHhNlRxLgUQHObEzkdhDLw+nfvTbQevU6LNH5jrngoNjCnb+lakHV8Nymz4eEF4NKEHKLIJQncPfRtRdu2NW8cYgLbA2ZMHgvOFzYq6JxoZn0prSSu7OHWV8GnOv3+YSfpQ5E4tJ8QKaxSc+ScW0cHsRGj6a68rukFL/pboWQKDgVSxNgONmvRxYqvJQNA7b9Miz8JAajl+bAyh/GbONtKiSucTyJGRbmqrJBhSQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR11MB1685.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(136003)(366004)(376002)(346002)(39860400002)(55016002)(186003)(7696005)(26005)(316002)(83080400001)(6506007)(53546011)(71200400001)(8676002)(4326008)(66446008)(66556008)(966005)(66946007)(64756008)(86362001)(166002)(76116006)(52536014)(5660300002)(66476007)(478600001)(2906002)(6916009)(83380400001)(8936002)(54906003)(33656002)(9686003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: ouuvILH8MUGHKZyZCfmNrX0N5iMjRyLCS1bchIGhkJJsOxsF+2hT58e+RBnOFLh3iS621uYkuqK0R57d1wRLjxXwk3W4K+uwU+LT5voZN20PMVD4nAmyWue3FiBimFT28RcLoL1jP2W6M23hGsuh8ElZsRMF+CbnyJmITRb3lUi+u+BNOFeQozzgfqBnW/GtCCNd7gu/5rD14h476pXBv9RfO2Hyp/N3cPt8fyKxLJ47hK6nwiMsWl2JW6MDcjDbynZdz/qAt0asNpmuCObe3LG324eM1trXNnzAkH1PR8Km06fFS21DzEaWPjfau8Stj1qBlZ/rA8XLJrAVml6JdwYVG2bFg7+TU1UKZhs1GZR3ilYNmLzbj6t0HEgoJeDU2MarLNo7fGfwqpEBKdVNu3f5ta48KTRl4yDlbKB/ay72iGG+OuNx6mZS/w8UAcx33PQgfBkNxQLF+sW2Mu0g7KBfPBaxlkNeTG9BT7Jbk0g7M+Ef88covlzzTfj6ItvjNfVbvkTF75ekIkEfQ4k4Z73+3KyEQUfPwbjSDSSqdmY3MUZ/wk4bV2KlgIMW6u1sjmB8hloPEgQ2rtkHp08IVxsvHXc1z+kzFlI0/n8+Yf/W1nwH8IB5vulwA3gLYUAWWJi9NxsIM/o7L4JerOkd2A==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CY4PR11MB16855F30DC87D1CA85396D55DB2C0CY4PR11MB1685namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY4PR11MB1685.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d888722d-e094-45ff-e9f9-08d84fb6dd39
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Sep 2020 03:10:08.4038 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5fJV0i/LgY0i/Bm/2GUErat73iiKuX8vgTiE+HHrAtsfpn9Tv5FgJRarcAnIQbbFUCQyRQKqiZphB41PSWacAA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR11MB1862
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: rcdn-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/GZZhWmaw8lJIazVFp2a7Vsoymac>
Subject: Re: [Acme] ACME subdomains
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Sep 2020 03:10:15 -0000

I followed the patterns used in RFC8555 which consistently uses example.com as the ACME server base domain and example.org as the client certificate identifier base domain, but yes Ryan I did find this a source of confusion too when reading ACME.

For clarity, I replaced all example.com with acmeserver.com, and left all the client identifiers as example.org. I also replaced all the random values in the tokens and URIs so that duplicate random values (i.e. duplicate URIs or tokens) are not used within an option example, as this could have caused confusion too.



Both option 1. Your suggestion. I think we need new challenges types for the parent for each of the supported challenge types e.g. http-parent-01 and dns-parent-01.

~~~
   {
     "status": "pending",
     "expires": "2015-03-01T14:09:07.99Z",

     "identifier": {
       "type": "dns",
       "value": "foo.bar.example.org"
     },

     "challenges": [
       {
         "url": "https://acmeserver.com/acme/chall/prV_B7yEyA4",
         "type": "http-01",
         "status": "pending",
         "token": "DGyRejmCefe7v4NfDGDKfA",
       },
       {
         "url": "https://acmeserver.com/acme/chall/NvGuSDAgel",
         "type": "http-parent-01",
         "parent-identifier":"example.org",
         "status": "pending",
         "token": "4ri0VOyfYe",
       },
       {
         "url": "https://acmeserver.com/acme/chall/Nd0E0RmHYe",
         "type": "dns-parent-01",
         "parent-identifier":"example.org",
         "status": "pending",
         "token": "S9nQjcWrSI",
       }
     ],
   }
~~~

Both option 2. The challenge for the parent domain is of a new type that contains a set of nested challenges of existing types.

~~~
   {
     "status": "pending",
     "expires": "2015-03-01T14:09:07.99Z",

     "identifier": {
       "type": "dns",
       "value": "foo.bar.example.org"
     },

     "challenges": [
       {
         "url": "https://acmeserver.com/acme/chall/9eDK8EeM8R",
         "type": "http-01",
         "status": "pending",
         "token": "DGyRejmCefe7v4NfDGDKfA",
       },
       {
         "url": "https://acmeserver.com/acme/chall/PAniVnsZcis",
         "type": related-identifier",
         "status": "pending",
          "related-identifier":"example.org",
          "challenges":[
                   {
               "url": "https://acmeserver.com/acme/chall/NYV9zTtOBT",
               "type": "http-01",
               "status": "pending",
               "token": "q1XCKRP2DX",
               },
               {
               "url": "https://acmeserver.com/acme/chall/25OE1ZoicK",
               "type": "dns-01",
               "status": "pending",
               "token": "bLfEMqhoVp",
             },
         ]
       }
     ]
   }
~~~

Both option 3. A new challenge type that points to another new authorization object. This can be standard authorization obejct that includes http-01, dns-01 challenges for the parent. It may make sense to also include the parent domain in this new challenge, even though it will be in the 2nd authorization.

~~~
   {
     "status": "pending",
     "expires": "2015-03-01T14:09:07.99Z",

     "identifier": {
       "type": "dns",
       "value": "foo.bar.example.org"
     },

     "challenges": [
       {
         "url": "https://acmeserver.com/acme/chall/RW9UppaYs0",
         "type": "http-01",
         "status": "pending",
         "token": "DGyRejmCefe7v4NfDGDKfA",
       },
       {
         "url": "https://acmeserver.com/acme/chall/PAniVnsZcis",
         "type": related-identifier",
         "related-identifier":"example.org",
         "related-authorization":" https://example.com/acme/authz/r4HqLzrSrpI"
         "status": "pending"
       }
     ],
   }
~~~

And for option 3, the related-authorization points to the authorization object for the parent domain e.g. POST-as-GET to the “related-authorization” https://example.com/acme/authz/r4HqLzrSrpI :

~~~
   {
     "status": "pending",
     "expires": "2015-03-01T14:09:07.99Z",

     "identifier": {
       "type": "dns",
       "value": " example.org"
     },

     "challenges": [
       {
         "url": "https://acmeserver.com/acme/chall/prV_B7yEyA4",
         "type": "http-01",
         "status": "pending",
         "token": "DGyRejmCefe7v4NfDGDKfA",
       },
       {
         "url": "https://acmeserver.com/acme/chall/Nd0E0RmHYe",
         "type": "dns-01",
         "status": "pending",
         "token": "S9nQjcWrSI",
       }
     ],
   }
~~~





Of all the above, option 3 arguably keeps the client implementation and logic as close to base ACME as possible.


From: Ryan Sleevi <ryan-ietf@sleevi.com>
Sent: 02 September 2020 23:08
To: Owen Friel (ofriel) <ofriel@cisco.com>
Cc: Felipe Gasper <felipe@felipegasper.com>; Jacob Hoffman-Andrews <jsha@letsencrypt.org>; acme@ietf.org
Subject: Re: [Acme] ACME subdomains

There’s a lot of mixing of example.org<http://example.org> and example.com<http://example.com> here, in ways I’m having trouble making sense of. I just wanted to confirm those were typos, since we have recently seen some confusion around this space.