Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-friel-acme-subdomains)

"Owen Friel (ofriel)" <ofriel@cisco.com> Sat, 07 March 2020 02:35 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EBCF3A1071 for <acme@ietfa.amsl.com>; Fri, 6 Mar 2020 18:35:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Nw9nR8hw; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=cknkiH9e
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BJbUWvMoJH-j for <acme@ietfa.amsl.com>; Fri, 6 Mar 2020 18:34:59 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B16F03A0F4D for <acme@ietf.org>; Fri, 6 Mar 2020 18:34:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3516; q=dns/txt; s=iport; t=1583548499; x=1584758099; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=4mmTfhbtm+KkBhV64QRVeDadh4V3Kpato1kO/A+6+8Q=; b=Nw9nR8hwcqgMG1YyxoT2nOoSsgfZEdfDw2F/NMoHq2KYwEcTw+lBq4ii wNjqmbfJxz3KUzCp1OOY9i66xvW3oRucxA6q4lIO95Fh5mhDgk17z+M+U d7O4OvjZ6HfQBTzwKwaooqGN1TZFS3sdv/0LB0BAzQ0U81uruGDnPKV0J s=;
IronPort-PHdr: =?us-ascii?q?9a23=3AdrLqMxws5duNVrbXCy+N+z0EezQntrPoPwUc9p?= =?us-ascii?q?sgjfdUf7+++4j5YR2N/u1j2VnOW4iTq+lJjebbqejBYSQB+t7A1RJKa5lQT1?= =?us-ascii?q?kAgMQSkRYnBZuCB1f6IfrCZC0hF8MEX1hgrDm2?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CoBQCJB2Ne/5RdJa1kHAEBAQEBBwE?= =?us-ascii?q?BEQEEBAEBgXuBVFAFbFggBAsXEwqEC4NGA4ppgl+YFYJSA1QJAQEBDAEBGAs?= =?us-ascii?q?KAgQBAYRDAheBdyQ4EwIDAQELAQEFAQEBAgEFBG2FVgyFYwEBAQEDAQEQCwY?= =?us-ascii?q?RDAEBLAsBCwYBCBEEAQEBAgIfBwIEJQsVCAkBBAENBQgagwWCSgMuAQ6dGgK?= =?us-ascii?q?BOYhidYEygn8BAQWEfBiCDAmBDiqMKBqBQT+BEUeCHy4+gmQBAQIBgUoagw8?= =?us-ascii?q?ygiyQaJ89CoI8h1KFTYljgkmBAJdsjnaBTYcvklUCBAIEBQIOAQEFgWkigVh?= =?us-ascii?q?wFTuCbAlHGA2OHTiDO4UUhUF0AoEnjjkBgQ8BAQ?=
X-IronPort-AV: E=Sophos;i="5.70,524,1574121600"; d="scan'208";a="443529019"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 07 Mar 2020 02:34:58 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 0272YwMo005263 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 7 Mar 2020 02:34:58 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 6 Mar 2020 20:34:58 -0600
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 6 Mar 2020 21:34:57 -0500
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 6 Mar 2020 20:34:57 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; =?utf-8?q?b=3DQypf6QQ9cZfv1mJ381bO+fAMPJkyjkYGzTj2hCuADQ3KLbz+nvUPYJeG6mAEU?= =?utf-8?q?2qAvxmfq8g5/PoF0/MK2HnbbDslRhQbpO8SZbUPzlLGutR0/BALzVJVpDTYwZtCil?= =?utf-8?q?la1DbrVy8i+WG+5QTFxGucSPN9ZkmP0LwTsrNXyH8ZE7WOqNHHxcWrq00F5xuR8rd?= =?utf-8?q?vGNK2Orhf85BsISfVt5K+qLnOTxlYkKG3rzQImgSLz2QgzVQe847SgIuOiT5Szmg5?= =?utf-8?q?D7ZVRPHT9nAh/CYQrIoDUwLUj1BKfdlQVluPOnUxf6dN4PkjUP/CHQsNf8NPWpsG+?= =?utf-8?q?zCYCIPS/93W5jB0oSxolQ=3D=3D?=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3ACont?= =?utf-8?q?ent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3D4mmTfhbtm+KkBhV64QRVeDadh4V3Kpato1kO/A+6+8Q=3D=3B_b=3DJyKMfd?= =?utf-8?q?l1eQW0HncSFsOGmxoZvU7qx4xNBhyXJR5zBcyTFSmCWOieosnGaEVttmVuNnuC5fW?= =?utf-8?q?CqtesJW8vBCHY0BAYflpQr9ldA/0N+Hu4FQVgctO0S3+1R2yGVR0NAgLkAakmecWu?= =?utf-8?q?Gj5mmxvfrYjDed30j+/Amw7ygcaDguMo6D0RgIImbOTDLV/kaFGVcdzFLr41Jl4sV?= =?utf-8?q?I7WMHhwCmjwap3+aYzxiGYYAxPnIrXZ+7k/63A6gxW39zisAJrXWqozJOLtSqXgh0?= =?utf-8?q?u3QHbpkiMZrIObnY3B/QcC+KykeZpCHU7/YrEh0e21polUcjaKTuHvzA/R+N6HPnq?= =?utf-8?q?BKdQHjbJyiw=3D=3D?=
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AM?= =?utf-8?q?essage-ID=3AContent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADC?= =?utf-8?q?heck=3B_bh=3D4mmTfhbtm+KkBhV64QRVeDadh4V3Kpato1kO/A+6+8Q=3D=3B_b?= =?utf-8?q?=3DcknkiH9ekgFuaOLFMB4a2asokZsYW7fG0khOI6bsOW5+DlbpLaWvIB/iip5wzQ?= =?utf-8?q?Igqx/9R8JzEewlSHYgVEMQEiYaR6cRI/JF2p9ze4P72NHjXxe3wTm9SNyaAMKXc3y?= =?utf-8?q?YDrn3mvE069xemOlTSIRmPJ3soUcbN8CIZZANJOUvwRw=3D?=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (2603:10b6:208:138::12) by MN2PR11MB3664.namprd11.prod.outlook.com (2603:10b6:208:f1::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.15; Sat, 7 Mar 2020 02:34:56 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::2940:3c18:ff33:39d9]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::2940:3c18:ff33:39d9%4]) with mapi id 15.20.2793.013; Sat, 7 Mar 2020 02:34:56 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>, Felipe Gasper <felipe@felipegasper.com>
CC: IETF ACME <acme@ietf.org>
Thread-Topic: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-friel-acme-subdomains)
Thread-Index: AdX0KPpu8KCAeRrFSiOPuB0GBzi+ng==
Date: Sat, 7 Mar 2020 02:34:56 +0000
Message-ID: =?utf-8?q?=3CMN2PR11MB3901692CD13E26E8F5FB62E8DBE00=40MN2PR11MB3?= =?utf-8?q?901=2Enamprd11=2Eprod=2Eoutlook=2Ecom=3E?=
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [173.39.121.69]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 424bf1b5-0af9-429b-0db0-08d7c2401fd7
x-ms-traffictypediagnostic: MN2PR11MB3664:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: =?utf-8?q?=3CMN2PR11MB3664357514245B7024D72C90DBE?= =?utf-8?q?00=40MN2PR11MB3664=2Enamprd11=2Eprod=2Eoutlook=2Ecom=3E?=
x-ms-oob-tlc-oobclassifiers: OLM:5797;
x-forefront-prvs: 03355EE97E
x-forefront-antispam-report: SFV:NSPM; =?utf-8?q?SFS=3A=2810009020=29=284636?= =?utf-8?b?MDA5KSgzNzYwMDIpKDM5ODYwNDAwMDAyKSgzNDYwMDIpKDEzNjAwMykoMzY2?= =?utf-8?b?MDA0KSgzOTYwMDMpKDE5OTAwNCkoMTg5MDAzKSgyOTA2MDAyKSg1NTAxNjAwMiko?= =?utf-8?q?76116006=29=28110136005=29=288676002=29=2881166006=29=2881156014?= =?utf-8?b?KSg1MjUzNjAxNCkoNzEyMDA0MDAwMDEpKDY1MDYwMDcpKDUzNTQ2MDExKSg5?= =?utf-8?q?66005=29=2886362001=29=288936002=29=287696005=29=28478600001=29?= =?utf-8?b?KDE4NjAwMykoMjYwMDUpKDQzMjYwMDgpKDMzNjU2MDAyKSg2NjU1NjAwOCkoNjY5?= =?utf-8?q?46007=29=2866476007=29=2864756008=29=285660300002=29=2866446008?= =?utf-8?q?=29=289686003=29=28316002=29=3B?= DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3664; H:MN2PR11MB3901.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: =?utf-8?q?8+N4yyRu2JBw9oI78aN+lm2oChkrRBB?= =?utf-8?q?Z059eCUXBOudysfq4R7HKHhocWqEM8b7axPLasi5SVuifchTQuoUxpPmdvC4FsDRl?= =?utf-8?q?Eqo0PTttXClcI5diUn3fmtBMdqvN+aUuCA5zI4g4aWId2wIgdlRSu/H3WBl6qtf9q?= =?utf-8?q?HcGI2sNgGNqOLTeevFPDKrS1QQ0d58T6FY22pNwnBKGML5U+bQXbpJwnb9Z7Gzi3b?= =?utf-8?q?o0LxSu0sxX4fw1YQdaKuTNPH9DvwmemHfu3NljqKBUUgdnzshxd/Eq8nct1sFGIpT?= =?utf-8?q?OJ/1lp4M2oPJftkN3+GnQNplz6PabEZdO9JJYcCrrGdyfS84lQQltFncPgMLvgwla?= =?utf-8?q?Mr6HNRiC/t4toHdthO847M4B0TkmsU+6avgJ9H6gdJqaaYSZO8HciqFBXAdNDRR7h?= =?utf-8?q?w9UBWGj2FRWOTasiJQFf4+e5vzfOQwhWDewQoS6QCjB3MvBLfU9U/hwn1OtWDu5gK?= =?utf-8?q?zRKRZZgJJAtszE3fIWWp2gWuWYu1oevD9YgWQqHgRQifmSIg=3D=3D?=
x-ms-exchange-antispam-messagedata: =?utf-8?q?9DtzNfXkmD0cWyxdtWZrGkQOcz/dmX?= =?utf-8?q?8Lslbnvpe+zFhvltyToPg+WxCZdMTcc2mH955BwvGvk3l4n1zwVx3iq4Kh5vFzhn2?= =?utf-8?q?DJPJvJ8hV6Xy1KIyOGmJ/YFFx6WIiz0XgdlANv9pYUIYBZYslrviQXA=3D=3D?=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 424bf1b5-0af9-429b-0db0-08d7c2401fd7
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Mar 2020 02:34:56.2148 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: =?utf-8?q?uZ9tNvt1fpyAicB2iu6ja?= =?utf-8?q?mGLYSjqsQjseWJTr1xy3YbJv5ZA/CZnOdNxMg5ama21cI+c5Y08yQ8N5H7W91bTCg?= =?utf-8?q?=3D=3D?=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3664
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.13, xch-aln-003.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/KAIaZtTFi-Gb5yPLWwxQnnnsE7M>
Subject: Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-friel-acme-subdomains)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Mar 2020 02:35:03 -0000

I just published draft-02 https://www.ietf.org/id/draft-friel-acme-subdomains-02.txt which hopefully addresses the pre-authorization and policy discussions below.


-----Original Message-----
From: Acme <acme-bounces@ietf.org> On Behalf Of Owen Friel (ofriel)
Sent: 29 January 2020 05:51
To: Felipe Gasper <felipe@felipegasper.com>
Cc: IETF ACME <acme@ietf.org>
Subject: Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)



> -----Original Message-----
> From: Felipe Gasper <felipe@felipegasper.com>
> Sent: 21 January 2020 14:01
> To: Owen Friel (ofriel) <ofriel@cisco.com>
> Cc: IETF ACME <acme@ietf.org>
> Subject: Re: [Acme] ACME wildcards vs. subdomain authorizations (was 
> RE: Call for adoption draft-frield-acme-subdomains)
> 
> 
> > On Jan 21, 2020, at 7:13 AM, Owen Friel (ofriel) <ofriel@cisco.com> wrote:
> >
> >>
> >> Will this document eventually also describe subdomain authz via the 
> >> standard ACME workflow?
> >>
> >> <snip>
> >
> > [ofriel] That’s the exact workflow that the document is attempting 
> > to
> describe, so maybe it needs to be clarified.
> > The example section 
> > https://tools.ietf.org/html/draft-friel-acme-subdomains-
> 01#section-4.2 (and I realise now looking at it that I messed up the 
> numbered steps - they are all '1') outlines a client authorizing for 
> "example.com" and getting certs for "sub0.example.com", 
> "sub1.example.com" and "sub2.example.com". If its not clear, I can try reword in an update.
> 
> Your document seems to confine itself to the pre-authorization 
> workflow, though (as per section 4’s 2nd paragraph, anyhow); I’m 
> thinking applicability to 8555’s default/standard/order-then-authz workflow.

[ofriel] Confining to pre-authorization certainly isn’t the intention, and I can clarify this.

https://tools.ietf.org/html/draft-friel-acme-subdomains-01#section-4.1 states:

" If a server has such a policy and a client is not authorized for the
   parent domain then:
...
   o  If the client submits a newOrder request for a subdomain: The
      server MUST return a status 201 (Created) response.  The response
      body is an order object with status set to "pending" and links to
      newly created authorizations objects against the parent domain." 

So some of the text explicitly allows this. I will refactor.

> 
> -FG
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme