Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)

Felipe Gasper <felipe@felipegasper.com> Tue, 21 January 2020 14:00 UTC

Return-Path: <felipe@felipegasper.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D15BE1200E5 for <acme@ietfa.amsl.com>; Tue, 21 Jan 2020 06:00:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=felipegasper.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8L3xpIrFwUme for <acme@ietfa.amsl.com>; Tue, 21 Jan 2020 06:00:53 -0800 (PST)
Received: from web1.siteocity.com (web1.siteocity.com [67.227.147.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2887E120090 for <acme@ietf.org>; Tue, 21 Jan 2020 06:00:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=felipegasper.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=gWigyBzgjTQ1B95hhz09XXyb5eDfO5Wb0rXsDCgWOVM=; b=fk4Le199QLwUrp8rUfSwAKnF4 XS2ONOWO7yd0Nv62Mx1UlWMpcIPCHs5a4nt4jJOm15LAjLuh6sEPO6XqV5C73EHptik/jvyAl3G+d bCyzAMviNPuGs+KF6tLp2S35PabYQiQdv7lVu387jnzLI9tGb7OGv26vFxA3J37nSVEi4XeMdwU4s 8P8cojfJuLRBCMYW3PIWxyrIj7jWwlh/EUEJh8CgXhQPraSjHnCgLsMK+uj7JkcZBVAcS3kcxv3d8 4675HvkTt+HNVvneIZF0iGUrTATisogm6/ET7OswvguymixlewxcVMqio2bbIIGhwjQngVBfTqKUx WKOxpbEtg==;
Received: from hou-2.nat.cptxoffice.net ([184.94.197.2]:53934 helo=[10.3.5.95]) by web1.siteocity.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <felipe@felipegasper.com>) id 1itu5K-00E3Qk-AW; Tue, 21 Jan 2020 08:00:51 -0600
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Felipe Gasper <felipe@felipegasper.com>
In-Reply-To: <MN2PR11MB3901CDCC1358EEF12169EE1DDB0D0@MN2PR11MB3901.namprd11.prod.outlook.com>
Date: Tue, 21 Jan 2020 09:00:48 -0500
Cc: IETF ACME <acme@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F65ED1C3-096C-4E06-B255-C3EDC8BCC954@felipegasper.com>
References: <MN2PR11MB3901512A25A395E684808FFBDB5F0@MN2PR11MB3901.namprd11.prod.outlook.com> <MN2PR11MB3901D33CB72236ECF7BA437ADB320@MN2PR11MB3901.namprd11.prod.outlook.com> <B5F428E5-D08E-4EE6-9807-B51395F58643@felipegasper.com> <MN2PR11MB3901CDCC1358EEF12169EE1DDB0D0@MN2PR11MB3901.namprd11.prod.outlook.com>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - web1.siteocity.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - felipegasper.com
X-Get-Message-Sender-Via: web1.siteocity.com: authenticated_id: fgasper/from_h
X-Authenticated-Sender: web1.siteocity.com: felipe@felipegasper.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/N_4Xkw70OCQiWHF_T6m6cK-s01o>
Subject: Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2020 14:00:58 -0000

> On Jan 21, 2020, at 7:13 AM, Owen Friel (ofriel) <ofriel@cisco.com> wrote:
> 
>> 
>> Will this document eventually also describe subdomain authz via the standard
>> ACME workflow?
>> 
>> <snip>
> 
> [ofriel] That’s the exact workflow that the document is attempting to describe, so maybe it needs to be clarified.
> The example section https://tools.ietf.org/html/draft-friel-acme-subdomains-01#section-4.2 (and I realise now looking at it that I messed up the numbered steps - they are all '1') outlines a client authorizing for "example.com" and getting certs for "sub0.example.com", "sub1.example.com" and "sub2.example.com". If its not clear, I can try reword in an update.

Your document seems to confine itself to the pre-authorization workflow, though (as per section 4’s 2nd paragraph, anyhow); I’m thinking applicability to 8555’s default/standard/order-then-authz workflow.

-FG