Re: [Acme] acme subdomains open items
Ryan Sleevi <ryan-ietf@sleevi.com> Fri, 04 December 2020 19:26 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E15073A0EE3 for <acme@ietfa.amsl.com>; Fri, 4 Dec 2020 11:26:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8N0ChUwVBm-K for <acme@ietfa.amsl.com>; Fri, 4 Dec 2020 11:26:53 -0800 (PST)
Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15FAF3A0EE0 for <acme@ietf.org>; Fri, 4 Dec 2020 11:26:47 -0800 (PST)
Received: by mail-pf1-f171.google.com with SMTP id t8so4426217pfg.8 for <acme@ietf.org>; Fri, 04 Dec 2020 11:26:47 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mNaMjXquRiVwUaMfvxjQNppseplzvtmIdMrLyl0R9h8=; b=TxK2QpkAM8KmVRHjGUjhNRPaxpu8Rs/FFc/SXw5CDMkS/AbOcbrkadGOIV/0UnwA5J nULcTGlbQaYbJ+pQH57hXW5aLlvW3MZuVNylBj5MPE8WIktgVHYp16gie28+GRtPKOb4 HOSiITPnK1lK20FB8YGuakp3vivh3jb7ViKx42HaTQ/jpyp/5er5xLsyvH2pvxSFo/ZT CnRmvzuY1UI379mEWwiT6+d2IiApfONq5iaV1WWJeqtSO5l5N6wr5mC0NwxYpVeNTlcP LmTt+D2yvJPVyU22khBn3S0MZSGEaZDbCgTND8HwHf1m24/K/s6qCCCeiZ6vRUlP68It lHzA==
X-Gm-Message-State: AOAM532bE8ARyPUoFPNX5p1sUXv0bf0XakMjOH0DzBaq3BdLZx6SzeQc fHvTMvI3DBOXmAqONHJZPtzIjTCxKys=
X-Google-Smtp-Source: ABdhPJw8MOxM7lQPRTwcpDXed8NldmiekooVUy+rGd5uU6Q6kg88YcldaLnQKdbxVx87MYCgdsrgRA==
X-Received: by 2002:aa7:9521:0:b029:18b:b43:6cc with SMTP id c1-20020aa795210000b029018b0b4306ccmr5171128pfp.73.1607110006944; Fri, 04 Dec 2020 11:26:46 -0800 (PST)
Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com. [209.85.214.170]) by smtp.gmail.com with ESMTPSA id kb12sm2764041pjb.2.2020.12.04.11.26.46 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 04 Dec 2020 11:26:46 -0800 (PST)
Received: by mail-pl1-f170.google.com with SMTP id x15so3686350pll.2 for <acme@ietf.org>; Fri, 04 Dec 2020 11:26:46 -0800 (PST)
X-Received: by 2002:a17:90b:1b52:: with SMTP id nv18mr5421809pjb.172.1607110006269; Fri, 04 Dec 2020 11:26:46 -0800 (PST)
MIME-Version: 1.0
References: <CY4PR11MB168504F6D4CF495E8AE8F729DBF10@CY4PR11MB1685.namprd11.prod.outlook.com> <CA7603D9-DFDA-4FA6-A76C-D4E0E638A956@felipegasper.com> <CY4PR11MB16851AD65ACF736CE6FD55A8DBF10@CY4PR11MB1685.namprd11.prod.outlook.com>
In-Reply-To: <CY4PR11MB16851AD65ACF736CE6FD55A8DBF10@CY4PR11MB1685.namprd11.prod.outlook.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Fri, 04 Dec 2020 14:26:35 -0500
X-Gmail-Original-Message-ID: <CAErg=HEON6756+_3Lfbe=r=3rxV9gAundvG5mBEEOzsKqL8x3w@mail.gmail.com>
Message-ID: <CAErg=HEON6756+_3Lfbe=r=3rxV9gAundvG5mBEEOzsKqL8x3w@mail.gmail.com>
To: "Owen Friel (ofriel)" <ofriel=40cisco.com@dmarc.ietf.org>
Cc: Felipe Gasper <felipe@felipegasper.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000009f05d05b5a87558"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/H-oK6ZnT-0hZt4R9YMlii9HHaiI>
Subject: Re: [Acme] acme subdomains open items
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 19:26:55 -0000
Thanks for bringing it to the list, Owen. This is something we're trying to lock down in the CA/B Forum, at least with respect to the 'http-01' method, by making it clear that, like tls-alpn-01, it cannot be used as an Authorization Domain Name (i.e. a domain and all of its descendents), only as an FQDN. So this method primarily is for the 'dns-01' method, which seems to suggest that, at a minimum, the ACME server needs to indicate to the ACME client what modifications it will accept, since the ACME client will need to actually modify the DNS record at the appropriate label. If the server only chooses a single label, then it seems both likely and possible that the server may choose a dns-01 challenge that the client cannot fulfill (e.g. the client can only modify subdomain.example.com and descendents, but the server/CA chooses to challenge against example.com) So I *think* it would benefit from having the server be able to issue challenges against several identifiers, and communicate that to the client, which seems to argue "Yes" for your question #2. Equally in this scenario, I think you're asking whether or not the client should be able to indicate its capabilities to the ACME server, for selecting appropriate challenges. If a client is using dns-01 and can only modify subdomain.example.com, it doesn't benefit the client at all if the server chooses to also allow example.com. The question is whether there's a security risk in doing so; that is, should the client be able to affirmatively restrict the server or does it not matter. Does that accurately capture things? On Fri, Dec 4, 2020 at 10:25 AM Owen Friel (ofriel) <ofriel= 40cisco.com@dmarc.ietf.org> wrote: > That is what is currently documented – the server simply picks the one > domain that it wants the client to fulfil the challenge against. > > > > That was presented as the current documented approach. And I also > presented the open questions if we needed to build flexibility in client > request and/or server response. There were no concrete opinions as far as I > recall (waiting on the exact minutes) and Rich said to bring the qs to the > mailer for further discussion. > > > > Cheers, > > Owen > > > > > > *From:* Acme <acme-bounces@ietf.org> *On Behalf Of *Felipe Gasper > *Sent:* 04 December 2020 21:35 > *To:* Owen Friel (ofriel) <ofriel=40cisco.com@dmarc.ietf.org> > *Cc:* acme@ietf.org > *Subject:* Re: [Acme] acme subdomains open items > > > > I wasn’t part of IETF 109 .. was it discussed simply to give CAs the > ability to choose whether it tries authz against parent domains without the > client’s requesting it? > > > > This is how our (non-ACME) Sectigo integration works currently, and it > suits us well. > > > > -F > > > > On Dec 4, 2020, at 02:23, Owen Friel (ofriel) < > ofriel=40cisco.com@dmarc.ietf.org> wrote: > > > > Hi all, > > > > As recommended by the chairs at IETF109, bring the two open items to the > list for discussion. These were raised by Felipe and Ryan previously. > > > > 1: Does the client need a mechanism to indicate that they want to > authorize a parent domain and not the explicit subdomain identifier? Or a > mechanism to indicate that they are happy to authorize against a choice of > identifiers? > > > > E.g. for foo1.foo2.bar.example.com, should the client be able to specify > anywhere from 1 to 4 identifiers they are willing to fulfil challenges for? > > > > 2: Does the server need a mechanism to provide a choice of identifiers to > the client and let the client chose which challenge to fulfil? > > > > E.g. for foo1.foo2.bar.example.com, should the server be able to specify > anywhere from 1 to 4 identifiers that the client can pick from to fulfil? > > > > Both 1 and 2 require JSON object definition changes. Currently, the > document only defines how a client can submit a newOrder / newAuthz for a > subdomain, and the server can chose any one parent identifier that it > requires a challenge fulfilment on > > > > Owen > > > > > https://datatracker.ietf.org/meeting/109/materials/slides-109-acme-subdomains-01 > > > > https://tools.ietf.org/html/draft-friel-acme-subdomains-03#section-4 > > > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] acme subdomains open items Owen Friel (ofriel)
- Re: [Acme] acme subdomains open items Felipe Gasper
- Re: [Acme] acme subdomains open items Owen Friel (ofriel)
- Re: [Acme] acme subdomains open items Ryan Sleevi
- Re: [Acme] acme subdomains open items Owen Friel (ofriel)
- Re: [Acme] acme subdomains open items Ryan Sleevi
- Re: [Acme] acme subdomains open items Michael Richardson
- Re: [Acme] acme subdomains open items Ryan Sleevi
- Re: [Acme] acme subdomains open items Michael Richardson
- Re: [Acme] acme subdomains open items Ryan Sleevi
- Re: [Acme] acme subdomains open items Michael Richardson
- Re: [Acme] acme subdomains open items Ryan Sleevi
- Re: [Acme] acme subdomains open items Owen Friel (ofriel)
- Re: [Acme] acme subdomains open items Michael Richardson
- [Acme] should acme-subdomains support http-01 cha… Michael Richardson
- Re: [Acme] should acme-subdomains support http-01… Ryan Sleevi