Re: [Acme] scope in dns-account-01 and dns-02 challenge
Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 21 March 2024 10:26 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBBCEC15155E for <acme@ietfa.amsl.com>; Thu, 21 Mar 2024 03:26:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M0aKehQW0uL7 for <acme@ietfa.amsl.com>; Thu, 21 Mar 2024 03:26:03 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99F88C151083 for <acme@ietf.org>; Thu, 21 Mar 2024 03:26:03 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id EB55E14AAD for <acme@ietf.org>; Thu, 21 Mar 2024 12:26:00 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id cyJPTqGnV_kt for <acme@ietf.org>; Thu, 21 Mar 2024 12:26:00 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id C13527A for <acme@ietf.org>; Thu, 21 Mar 2024 12:25:59 +0200 (EET)
Date: Thu, 21 Mar 2024 12:25:59 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: acme@ietf.org
Message-ID: <ZfwLN3MtNEvcFlaz@LK-Perkele-VII2.locald>
References: <CAN3x4QkK6dFnoo0wfyCBf9_beuQf+Og9+EhoeYvMUbFaoGw8zw@mail.gmail.com> <7EB59D53-7CC4-4AD3-9652-56EA622D25EE@gmail.com> <CAN3x4QkrPT69=HMqB0cRVb6kocCQ3W0C+L1fXT1zN9dCPtaMUg@mail.gmail.com> <CAOG=JUJ9HGAOPVed1i09gsoPc+8qqk4T3sJVD7n_ZLP28deErA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAOG=JUJ9HGAOPVed1i09gsoPc+8qqk4T3sJVD7n_ZLP28deErA@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/HiD1xNZD7b4kLgHmYAsmVuT0HVA>
Subject: Re: [Acme] scope in dns-account-01 and dns-02 challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 10:26:08 -0000
On Wed, Mar 20, 2024 at 08:57:11PM -0400, Amir Omidi wrote: > I do think that this draft can do a better job describing the scope. I > think we should make it more explicit for the client to understand which > one will be used. I feel like splitting this challenge into three (and > potentially more, as extra scopes may or may not be added into the future) > might be a little too noisy. > > What do you think about a `scope` field in the authorization resource the > server sends creates/communicates with the client? Clients opting into > dns02, or dns-account-01 will use this to know exactly what scope the > server is expecting from them for their ACME order. The problem with this is that there might be multiple valid scopes, not just a single valid scope. And clients often have only one that will work, the rest will fail (often in rather bad ways). The obvious scope is is host/wildcard on the target name. However, if CA allows domain scope, thee will be N+1 more, where N is the maximum allowed strip (might be 0, might be more). In another mail, I proposed: - If CA allows domain scope, it sends maximum allowed strip in the challenge. Otherwise only host/wildcard scope is allowed. - If client selects domain scope, it sends strip used in the POST to the challenge URL. Otherwise host/wildcard scope is selected. -Ilari
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Seo Suchan
- [Acme] scope in dns-account-01 and dns-02 challen… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara