IETF Logo Mail Archive

Re: [Acme] DNS-ACCOUNT-01 Updates

Amir Omidi <amir@aaomidi.com> Wed, 02 August 2023 13:38 UTC

Return-Path: <amir@aaomidi.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E10EC1522CB for <acme@ietfa.amsl.com>; Wed, 2 Aug 2023 06:38:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aaomidi.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n7857CCQsD5M for <acme@ietfa.amsl.com>; Wed, 2 Aug 2023 06:38:13 -0700 (PDT)
Received: from mail-oa1-x2b.google.com (mail-oa1-x2b.google.com [IPv6:2001:4860:4864:20::2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E113C1522BD for <acme@ietf.org>; Wed, 2 Aug 2023 06:38:13 -0700 (PDT)
Received: by mail-oa1-x2b.google.com with SMTP id 586e51a60fabf-1bb7a1c2fe5so5054988fac.2 for <acme@ietf.org>; Wed, 02 Aug 2023 06:38:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aaomidi.com; s=google; t=1690983492; x=1691588292; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=f6HMaQEPi7lCYechy/Vq22tSyOLmyePoKoWVeX5e/vg=; b=eO5gcmkBoiaRvaOs/Pw7vdAzpPgDCa5wPqWNGowhKoAfVMmfv1UNQ+TRkFE6UcLQq0 hZ6XQChq/kleFwNbkRuGy0+Vi5+9TKi/s8E2EZyMAbSXNWpLtBMReu+RaRR8hSgL9iUv 4SL9MLPykJjtpHqOFiUlXcDTu9J1NgGBEONeLHZs2a0Mlv0d9mbExzrUVueL5k6Kz+xP RLJHKa0U22R2PqNfhJhrvupOO2a3zx+Sa3MXQHfBLmEwHwY278id1NYx2cFLF0NqaU+C hb0MzlgDjma62LB27lgPB7Fk4b7A/vvwBwgBoyi+GUji5AznANmdK5oCtdtBiSlRg6iv bJEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690983492; x=1691588292; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=f6HMaQEPi7lCYechy/Vq22tSyOLmyePoKoWVeX5e/vg=; b=SXLgr8sItI+kX5jyxwET/kRr6vbJBUub5GnMTET7ZKo8Stobsio7338ahN/5uVgkyE G6s7EYhZ6S1vnZHGwj4cXyDZ69iNWPWwFPSW2mGyPP2AOFwPeJz63eaffBdFzmOfvDwU iLOH5qBAyKbeRBxOH8THsXzzJ6RTA+cgRjvuRGHm0DgP6i2KKndgvpj4CBu/fBrY1SXB d3R/Q0QcCPp+KtDcnX10A0mTIICE9bw/tdxX8p42DajxCcpRVFOgyVcRc6X8cOnmKlAJ y+IkNL17uL5SohpbMCjkXmvP6loa57V2JrBYkxlI6O+0AtXNtw0BJkjAWz+atGWa0GzV kxiQ==
X-Gm-Message-State: ABy/qLYkD9hwbvr7Nk82TCXmSJCme2rHB8E/2pmTvi6ckTka8D8KFg6b QZ3biW1wXvLW95Uu+seqLQABF+WoYGrsn870LftajQ==
X-Google-Smtp-Source: APBJJlGuOlHcgALXs6MDPVBj3rl1c2HtRIS8cjYEnC75zsbGUi2DwKmQnentHAEphbHQvvUir0SOrj7eU8Tw2I9Ts5o=
X-Received: by 2002:a05:6870:a553:b0:1bb:cb02:7b97 with SMTP id p19-20020a056870a55300b001bbcb027b97mr18543134oal.37.1690983491607; Wed, 02 Aug 2023 06:38:11 -0700 (PDT)
MIME-Version: 1.0
References: <22209596-7C4D-42F4-9415-98F106047C33@gmail.com> <CAEmnErcRPMn9SiBNHtS0-oVEXVJCR+c9eXavGXMU6NLgoakwsA@mail.gmail.com> <CAMEWqGsXZGmP2VXcEemxM9T+2+zAppY2orP6wXyW+1xCeHuviA@mail.gmail.com> <ebd953b1-ce32-02ac-f133-86586c6278e6@gmail.com> <CAMh843ubkh51cXOO8PNK9OasbzKrZz4=e4h+67j5Et-hKo=k3g@mail.gmail.com> <MN2PR05MB6671D7B9A828AB0726B603AFA67C9@MN2PR05MB6671.namprd05.prod.outlook.com> <CAGgd1OcsXP87pORuyB4SVa8KzDgZtCAf3CG09FZdkr7y943mdg@mail.gmail.com> <CAOG=JUJHzrUzq0UkJmbA5E5R9ACEtpiaaO2LCR5hGF1kX-rBdw@mail.gmail.com> <117327.1687552043@dyas>
In-Reply-To: <117327.1687552043@dyas>
From: Amir Omidi <amir@aaomidi.com>
Date: Wed, 02 Aug 2023 09:38:00 -0400
Message-ID: <CAOG=JULO741LwZhWatJXc_9-89cDy95F1UG_zE3p+OJSF97dUg@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Deb Cooley <debcooley1@gmail.com>, "acme@ietf.org" <acme@ietf.org>, Amir Omidi <aaomidi@google.com>
Content-Type: multipart/alternative; boundary="00000000000056b7330601f0c642"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/HCrWpfrMhJB_tJZ0gT3uDmc-CTQ>
Subject: Re: [Acme] DNS-ACCOUNT-01 Updates
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2023 13:38:17 -0000

Dear All,

Thank you for the discussion at IETF 117. This email intends to follow up
on some points that were brought up during the meeting last week.

Just a reminder that the main motivation behind this draft (
https://datatracker.ietf.org/doc/draft-ietf-acme-dns-account-challenge/) is
to make domain validation delegation to more than a single entity possible.
This allows DNS validation challenges to rise to the flexibility offered by
both HTTP-01 and TLS-ALPN-01 challenges. This flexibility is necessary to
make ACME adoption possible for larger integrators that already have an
established domain and are deployed in a diverse set of environments.

For this discussion let's assume that we have:

ACME Account with the KID of: https://example.com/acme/chall/i00MGYwLWIx

Domain being validated: www.example.org


Draft proposed format:

_acme-challenge_ujmmovf2vn55tgye.www.example.org

This format is easy to integrate with existing ACME clients that also
automate DNS changes. It requires minimal changes on the zone operator side
and can easily be deployed alongside DNS-01.

This format also allows this challenge to be used today. That means any CA
can adopt this challenge today (even while it is in draft form) and solve
the multi-delegated domain validation problem.


My understanding (please correct me if I've misunderstood & misinterpreted)
of the proposal in the meeting was to add the account DNS label to the left
of _acme-challenge:

ujmmovf2vn55tgye._acme-challenge.www.example.org

The benefit of this proposal is that it conforms better to how DNS
hierarchies are designed. It has a clear separation of the _acme-challenge
zone. It also might be a potential solution to
https://github.com/aaomidi/draft-ietf-acme-dns-account-challenge/issues/13#issuecomment-1376612268

The downsides of this proposal is that it would require the BRs to be
updated before this challenge can be used, and that it's more complicated
to integrate this with existing ACME clients.

>From my perspective, the proposal makes adoption of this challenge by end
users a bit more difficult without many tangible benefits.

Are there any benefits that I'm missing or other alternatives? Does the
working group have a strong feeling on either the current format or the
proposed format?

On Fri, Jun 23, 2023 at 4:27 PM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Amir Omidi <amir=40aaomidi.com@dmarc.ietf.org> wrote:
>     > After some deliberation on this, I think we're erring on the side of
>     > DNS-ACCOUNT-01 rather than DNS-02. Speaking to a few people
> privately,
>     > there is a concern that DNS-02 implies a deprecation of DNS-01 which
> is
>     > not the intention of this draft. This unintentional implication may
> be
>     > detrimental to the adoption of ACME.
>
> Wise.
>
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-                      *I*LIKE*TRAINS*
>
>
>
>

v2.23.0 | Report a Bug | By Email