Re: [Acme] Directory metadata; wildcard support; conditional authz creation

Hugo Landau <hlandau@devever.net> Sun, 31 January 2016 20:37 UTC

Return-Path: <hlandau@devever.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F3621B2CDF for <acme@ietfa.amsl.com>; Sun, 31 Jan 2016 12:37:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.702
X-Spam-Level:
X-Spam-Status: No, score=-1.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CGJvr5fiO8NP for <acme@ietfa.amsl.com>; Sun, 31 Jan 2016 12:37:23 -0800 (PST)
Received: from umbriel.devever.net (umbriel.devever.net [149.202.51.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 823331B2CD7 for <acme@ietf.org>; Sun, 31 Jan 2016 12:37:23 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id BC51C1C60D; Sun, 31 Jan 2016 21:37:21 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= user-agent:in-reply-to:content-transfer-encoding :content-disposition:content-type:content-type:mime-version :references:message-id:subject:subject:from:from:date:date :received:received; s=mimas; t=1454272641; x=1472462002; bh=u9yK tNwmhr6nM1AO3BXQzdQDBrtQP0GEJi+ziJhnEwU=; b=Mt7E5mRT4quxO19sFnl4 f0sZD0BoVzM/sKjuA3D8zgrVkTdf+jDbMDvFMpWGWAZIjxIiMXOEbzVk7i9pYs5X oilTmH+hSAdHVm4m8QYxWiywm3QGxO2Qf99Ddlsu8WSn6vCzSfLFYp0kp+4Xk6Uo UxKrVGQQf8xmcGiTFDaqDlIEc/xbY37XqE+D3OdGWdTNaU740Y49hK1wv9vJUnRj 5FzaXlJ+DCfuIVo6gtmNvPfZSv3zFSWI0tA1QMi3AxBYJuvxBZRwzlUkE7MyLkL9 72JkUW1r2oI6WM2X6C9VC1OA+u8Cemk3c2hfHZlPRztLhCaqBQVtmguFaG0KpU/W wg==
Received: from umbriel.devever.net ([127.0.0.1]) by localhost (umbriel.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id xLxw2p07g8wq; Sun, 31 Jan 2016 21:37:21 +0100 (CET)
Received: from andover (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id 842A11C60B; Sun, 31 Jan 2016 21:37:21 +0100 (CET)
Date: Sun, 31 Jan 2016 20:37:21 +0000
From: Hugo Landau <hlandau@devever.net>
To: Richard =?iso-8859-1?Q?K=F6rber?= <acme@ml.shredzone.de>
Message-ID: <20160131203721.GA8485@andover>
References: <20160131033925.GA29713@andover> <20160130212624.d28caed07b79d3ccb0c24b39@andrewayer.name> <20160131084003.GA26421@andover> <20160131085131.09222b0bd9e64592b75a12f1@andrewayer.name> <56AE59FF.9040006@ml.shredzone.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <56AE59FF.9040006@ml.shredzone.de>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/Lsx80JngVt2UYvngj-0GUe9cbC4>
Cc: acme@ietf.org
Subject: Re: [Acme] Directory metadata; wildcard support; conditional authz creation
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Jan 2016 20:37:25 -0000

By this logic it should be allowed to obtain a certificate for any
domain x.y.z.example.com. if you have an authorization for example.com.
That might be justifiable, but it's a big divergence from the current
design of the protocol.

I think given the current design of the protocol, it would be
inconsistent to allow wildcard domains to be created due to a base
domain authorization.

On Sun, Jan 31, 2016 at 08:01:19PM +0100, Richard Körber wrote:
> 
> > Perhaps the "hostname" field I proposed could support wildcards.  If the
> > server sends the client a challenge with a wildcard in the hostname,
> > the client would need to be prepared to respond to the challenge on any
> > hostname matching the wildcard.  The CA can choose whether to send
> > a challenge for "*.example.com" or just "example.com" when validating a
> > wildcard authz for "*.example.com".
> 
> I couldn't think of a situation where someone owns and controls a domain, but
> would be unable to control any of the subdomains.
> 
> So, wouldn't it be sufficient that for a wildcard domain (*.example.com), only
> the domain itself (example.com) is challenged?
> 
> -- 
> Richard Körber
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme