IETF Logo Mail Archive

Re: [Acme] scope in dns-account-01 and dns-02 challenge

Amir Omidi <amir@aaomidi.com> Thu, 21 March 2024 23:11 UTC

Return-Path: <amir@aaomidi.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58780C14F6A3 for <acme@ietfa.amsl.com>; Thu, 21 Mar 2024 16:11:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aaomidi.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xFLrMaDmhSpp for <acme@ietfa.amsl.com>; Thu, 21 Mar 2024 16:11:03 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 363A5C14F5EB for <acme@ietf.org>; Thu, 21 Mar 2024 16:10:54 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-56b8e4f38a2so1938158a12.3 for <acme@ietf.org>; Thu, 21 Mar 2024 16:10:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aaomidi.com; s=google; t=1711062652; x=1711667452; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Vya7puxLlNp46RCvCE0qY+wTgS0se3I9BpOlzYM//wA=; b=N4qFuiGxJEI75hktGpSaWaLvdFqQjYBilGPx7eev/EnJzxdbxq0klDybbu0IotzzJJ bnEjZJMyZYvc6tp1FgdkYg/BDWFu6V7g78gtr7Z3bKSGnPX+UFalip6QqABMoulucxtl MVnrcpLMW0iRxNLg081sMcdHnJDox2SlmPaygooLbUdc+X16dhGD4IuO9rQ7WjUdRTFx ZwV1c7Y7QO/hG9ZcTviLhoPTas1R9kXWbdvKP6N4JJmGLiLbqauvKPNIFW5+GVfdTXfa 93uO4t1d0yOOvpDC2VSt63XycqLF5YC3tM0cALDeThxfT+qPtuhQe1NXi1kua8Euxd+D HMDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711062652; x=1711667452; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Vya7puxLlNp46RCvCE0qY+wTgS0se3I9BpOlzYM//wA=; b=Ng7vDKeTPTgVsgQDL+DGj98L/LbhaIpRm3IdCeB22576N5jW1dBFhziRZwxlCExJSY qih0ItKVGfmMcbikjm7q2JeLzX1SEE6dPJ7NTzlk14n4RQulxHl8+uCXOWxr/paaXT3y PdebT9eTM/UGznRBOeA8pXlKWV5hlvmMLcLRrVmW2u70utWbj1vTQ/ON2tYiKRwObdTS UEoHcrChcvb/v0ZPyM0M1D9w59UJExTQxrK/43GyWY2KBGz/+HqINxp9uwo8jKXlpjY+ KQOQsXU7xNsZM3x2ZWPcYHqHmulZwu1+jVceb5FeixLepWudUjgOfVL9bvdwIJO1Nr2C fMpA==
X-Forwarded-Encrypted: i=1; AJvYcCXX0Z2exuehHiccoZhVam5S2DLEPZzLnrTimLDXJROuChH1zxFT3lA3cdvlv5t7hDrMAPz93sECtye1L2fp
X-Gm-Message-State: AOJu0Yw+kpY3s4nlTjmuApre+j4G/UEx2w5gE00VTarb6IYh2IcQ/CG5 HvxbxVZN9Z7XdNkZyQ21qO90FnXmyb02ICDq4CKLFA6YrXv7+YXy7zgGWqiKiFtEDFgeBeeJSnc gYm4A9ezuKFgLl+oYqUFLez56O3w8LW9RjhfigQ==
X-Google-Smtp-Source: AGHT+IHTKK4smBJcTOGelXhy+O67wrXxerz8GfYVVfnEs3K5POGnQv3RekprAjdKIS94A30bvpE9Xc2B2VNNXlANFPw=
X-Received: by 2002:a50:a6d7:0:b0:565:dfac:a686 with SMTP id f23-20020a50a6d7000000b00565dfaca686mr361858edc.38.1711062652134; Thu, 21 Mar 2024 16:10:52 -0700 (PDT)
MIME-Version: 1.0
References: <CAN3x4QkK6dFnoo0wfyCBf9_beuQf+Og9+EhoeYvMUbFaoGw8zw@mail.gmail.com> <7EB59D53-7CC4-4AD3-9652-56EA622D25EE@gmail.com> <CAN3x4QkrPT69=HMqB0cRVb6kocCQ3W0C+L1fXT1zN9dCPtaMUg@mail.gmail.com> <CAOG=JUJ9HGAOPVed1i09gsoPc+8qqk4T3sJVD7n_ZLP28deErA@mail.gmail.com> <CAN3x4QkF_ZUotFfq+e+23pY5ktPi1eMY+KFt6JBgbAHix4=vWQ@mail.gmail.com>
In-Reply-To: <CAN3x4QkF_ZUotFfq+e+23pY5ktPi1eMY+KFt6JBgbAHix4=vWQ@mail.gmail.com>
From: Amir Omidi <amir@aaomidi.com>
Date: Thu, 21 Mar 2024 19:10:40 -0400
Message-ID: <CAOG=JUL+aWuZubU3+QNBrphUZcHApqeUJ7SaXukOrSCOt57otQ@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha=40letsencrypt.org@dmarc.ietf.org>
Cc: Amir Omidi <amir=40aaomidi.com@dmarc.ietf.org>, Seo Suchan <tjtncks@gmail.com>, acme@ietf.org
Content-Type: multipart/alternative; boundary="00000000000091cf0c061433d132"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/HtjIdEbM2e0uSo1EPvVKwJEtRiQ>
Subject: Re: [Acme] scope in dns-account-01 and dns-02 challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 23:11:07 -0000

Accidentally sent this as a private reply earlier.

First, I don't want the BR process to drive the IETF process. I've been
mostly avoiding really thinking about the BRs with this draft. Especially
since participation here feels a lot simpler and democratic than it does at
CA/B.

Regarding my resistance in adding these as two or three separate
challenges: I've felt that the challenge types have become "headline"
names, while the implementation of the challenges are not something most
people care about.

I'm mainly trying to meet the end users where they are. I feel like
dns-account-01 is already going to be pretty confusing. Now making that
have a bit more of the implementation details in the "headline labels"
seems like it's going to confuse folks more.

This is where I think your experience with the Let's Encrypt community
forum can help. Do you feel like my worry here is warranted?

Beyond that, I also partially disagree with:

> but I think there is less need for domain-scoped validations in ACME.

I'm probably pretty much in agreement with you there, but I feel like now
that RFC9444 is a published RFC, it wouldn't make much sense to not build
support for that, where it makes sense, in new challenges. I doubt I'd
personally use that challenge much, and this is where I think the ACME WG
might have more opinions on keeping or discarding the `domain` scope. It
would be a shame if ACME CAs started using the `domain` scope, and didn't
have the functionality for that built into this scoped based challenge.

As for not introducing dns-02, I *could* see a future where the scoped
based challenges become a requirement. I don't think we're even close to
that yet though. In that future, the account URI based ones might be really
annoying to deal with. I also think they'd be annoying to deal with from an
external debug-ability perspective (e.g, someone posts a request on the LE
community forum of "why this not working", and now someone helping them
can't run a simple TXT lookup to answer their question.)

I should really say though, with most of this I don't have a strong
opinion. I'm mostly approaching this from the perspective of a user who
doesn't really know ACME, is already overwhelmed by this entire process,
and just wants to get a certificate to work and be able to answer questions
when their manager asks them "so what is the deal with these certificate
challenges? Which one are we going to use and why?"



On Thu, Mar 21, 2024 at 2:42 PM Jacob Hoffman-Andrews <jsha=
40letsencrypt.org@dmarc.ietf.org> wrote:

> On Wed, Mar 20, 2024 at 5:57 PM Amir Omidi <amir=
> 40aaomidi.com@dmarc.ietf.org> wrote:
>
>> I feel like splitting this challenge into three (and potentially more, as
>> extra scopes may or may not be added into the future) might be a little too
>> noisy.
>>
>
> Combined with my other proposals, we only wind up with two total challenge
> types: `dns-account-host-01` and `dns-account-wildcard-01`. I propose to
> get rid of domain scopes and the `dns-02` challenge type.
>
> What do you think about a `scope` field in the authorization resource the
>> server sends creates/communicates with the client? Clients opting into
>> dns02, or dns-account-01 will use this to know exactly what scope the
>> server is expecting from them for their ACME order.
>>
>
> This works, and is closest to your intention with the current draft, where
> the server decides the appropriate scope and the client has to abide by it.
> I do think it will be more annoying to pull into the BRs, since they will
> have to have language that says "This challenge type may be used to issue
> for wildcard domains if the ACME server sent `"scope": "wildcard"`."
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email