[Acme] 答复: Comment on draft-ietf-acme-subdomains-06: How about using wildcard certificates for subdomains?
"Yanlei(Ray)" <ray.yanlei@huawei.com> Fri, 10 February 2023 03:47 UTC
Return-Path: <ray.yanlei@huawei.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA43FC169525 for <acme@ietfa.amsl.com>; Thu, 9 Feb 2023 19:47:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RRPXT6G7HS1Y for <acme@ietfa.amsl.com>; Thu, 9 Feb 2023 19:46:59 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04A0FC14CE25 for <acme@ietf.org>; Thu, 9 Feb 2023 19:46:59 -0800 (PST)
Received: from lhrpeml500004.china.huawei.com (unknown [172.18.147.200]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4PCflD3G3kz67nWm for <acme@ietf.org>; Fri, 10 Feb 2023 11:45:28 +0800 (CST)
Received: from kwepemm600020.china.huawei.com (7.193.23.147) by lhrpeml500004.china.huawei.com (7.191.163.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.17; Fri, 10 Feb 2023 03:46:55 +0000
Received: from kwepemm600017.china.huawei.com (7.193.23.234) by kwepemm600020.china.huawei.com (7.193.23.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.34; Fri, 10 Feb 2023 11:46:53 +0800
Received: from kwepemm600017.china.huawei.com ([7.193.23.234]) by kwepemm600017.china.huawei.com ([7.193.23.234]) with mapi id 15.01.2375.034; Fri, 10 Feb 2023 11:46:53 +0800
From: "Yanlei(Ray)" <ray.yanlei@huawei.com>
To: Deb Cooley <debcooley1@gmail.com>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] Comment on draft-ietf-acme-subdomains-06: How about using wildcard certificates for subdomains?
Thread-Index: Adk1bBOxE11MI1CHQgyfzdUemM10iwC7dwSAASnOb7A=
Date: Fri, 10 Feb 2023 03:46:53 +0000
Message-ID: <a6a4549744b64b1487d5c965e8db5bea@huawei.com>
References: <34218eee7c3a49d5bb1f2d1afb657ed3@huawei.com> <CAGgd1OdOAA40GxvnNfTX1VRR3JoTFkA8jbYvBmmWSZjgY++VBQ@mail.gmail.com>
In-Reply-To: <CAGgd1OdOAA40GxvnNfTX1VRR3JoTFkA8jbYvBmmWSZjgY++VBQ@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.138.13.108]
Content-Type: multipart/alternative; boundary="_000_a6a4549744b64b1487d5c965e8db5beahuaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/M347SnA0sgiecBjaFsSRzVSnX0o>
Subject: [Acme] 答复: Comment on draft-ietf-acme-subdomains-06: How about using wildcard certificates for subdomains?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2023 03:47:00 -0000
> RFC8555 already addresses wildcards, no? Yes, wildcards are suppoted in RFC8555. Meanwhile, there are no mentions of wildcards in draft-ietf-acme-subdomains-06. It seems that wildcard certificates are not suitable for the subdomain scenario. However, I think the wildcard certificate is another candidate for subdomain manegement. Thus, I am wondering the reason why no wildcard certificates are mentioned in the draft. Are there some reasons for wildcard certificates cannot be used in subdomain scenarios? Regards, Lei YAN 发件人: Acme <acme-bounces@ietf.org> 代表 Deb Cooley 发送时间: 2023年2月4日 21:32 收件人: Yanlei(Ray) <ray.yanlei=40huawei.com@dmarc.ietf.org>; acme@ietf.org 抄送: Dorothy E Cooley <decoole@radium.ncsc.mil> 主题: Re: [Acme] Comment on draft-ietf-acme-subdomains-06: How about using wildcard certificates for subdomains? RFC8555 already addresses wildcards, no? Deb Cooley ACME chair decoole@radium.ncsc.mil<mailto:decoole@radium.ncsc.mil> On Tue, Jan 31, 2023 at 7:11 AM Yanlei(Ray) <ray.yanlei=40huawei.com@dmarc.ietf.org<mailto:40huawei.com@dmarc.ietf.org>> wrote: Hi, I'm new to this group and sorry for the late comment. I just saw this draft and have an idea after reading. I'd like to know from you experts whether it's reasonable. The illustration in Section 5 uses Subject Alternative Name (SAN) to list every subdomain name in a certificate. I wonder if this mechanism can be replaced by using a wildcard certificate? Compared with using the Subject Alternative Name (SAN), a wildcard certificate can simplify the complexity and reduce the costs for securing a number of subdomains. As the sub-domain name changes, the client with SAN has to re-apply its certificate, but the client with wildcard certificate does not need to change its certificate. I think wildcard certificates have been commonly used in subdomains management. As illustrated in Section 5: +--------+ +------+ +-----+ | Client | | ACME | | DNS | +---+----+ +---+--+ +--+--+ | | | STEP 1: Pre-Authorization of ancestor domain | . | | | . | | | . | | STEP 2: Place order for sub1.example.org<http://sub1.example.org> | . | | | . | | | . | | STEP 3: Place order for sub2.example.org<http://sub2.example.org>. | . | | | . | | | . | | If there are multiple subdomains, the client has to place an order multiple times for every subdomain. If using a wildcard certificate, the client only needs to place an order once for the wildcard certificate. Then the client can configure its subdomain servers with the same wildcard certificate. +--------+ +------+ +-----+ | Client | | ACME | | DNS | +---+----+ +---+--+ +--+--+ | | | STEP 1: Pre-Authorization of ancestor domain | . | | | . | | | . | | STEP 2: Place order for *.example.org<http://example.org> | | | | This is just a preliminary idea, and please correct me if I'm thinking wrongly. Regards, Lei YAN _______________________________________________ Acme mailing list Acme@ietf.org<mailto:Acme@ietf.org> https://www.ietf.org/mailman/listinfo/acme
- [Acme] Comment on draft-ietf-acme-subdomains-06: … Yanlei(Ray)
- Re: [Acme] Comment on draft-ietf-acme-subdomains-… Deb Cooley
- [Acme] 答复: Comment on draft-ietf-acme-subdomains-… Yanlei(Ray)
- Re: [Acme] 答复: Comment on draft-ietf-acme-subdoma… Owen Friel (ofriel)