Re: [Acme] Directory metadata; wildcard support; conditional authz creation

Andrew Ayer <agwa@andrewayer.name> Sun, 31 January 2016 16:51 UTC

Return-Path: <agwa@andrewayer.name>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F7AE1ACD5C for <acme@ietfa.amsl.com>; Sun, 31 Jan 2016 08:51:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.698
X-Spam-Level:
X-Spam-Status: No, score=0.698 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VuLXSjy8Vri8 for <acme@ietfa.amsl.com>; Sun, 31 Jan 2016 08:51:33 -0800 (PST)
Received: from alcazar.beanwood.com (alcazar.beanwood.com [70.85.129.230]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 302881ACD5B for <acme@ietf.org>; Sun, 31 Jan 2016 08:51:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=alcazar2; t=1454259092; bh=Wloa6sgfjT1GW+t/sWsEKS/WQnqqqHq7vnYXn3y32bI=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=A+Y/TobB5Dn/e+8njckahqn+dtmkUYiPGh5Xx19kJeHOrLYjhWZYPaZAD5apwV3O7 2Z4TQ70sjZc+beDkaxpkZOSg2smGDPsMZhizdZrTwa2WKODspQab3o/KvHjCAgRTBF tBiNFBv/gcGUPr1oKtNwr5QQpz5PGojodaSQ2QPHLSebHblu9i6DvCsuoWdsYxVhnv BixYiLFAZuij5wwPO2U9k9YJvApvP4tAuov0zuUxvpNVSxQuUjmwHsVx20GPcVAZXh vd9MxBfoVnVO8m7t0v7d/7nh1GXHkct9DC1GqEnoZcPAMiPx0aeshV59AcL/sWFI0W qv9bYcATm+71A==
Date: Sun, 31 Jan 2016 08:51:31 -0800
From: Andrew Ayer <agwa@andrewayer.name>
To: Hugo Landau <hlandau@devever.net>
Message-Id: <20160131085131.09222b0bd9e64592b75a12f1@andrewayer.name>
In-Reply-To: <20160131084003.GA26421@andover>
References: <20160131033925.GA29713@andover> <20160130212624.d28caed07b79d3ccb0c24b39@andrewayer.name> <20160131084003.GA26421@andover>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/Nn1fnjCkx2qZjqdprWvCouxoOtY>
Cc: acme@ietf.org
Subject: Re: [Acme] Directory metadata; wildcard support; conditional authz creation
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Jan 2016 16:51:34 -0000

On Sun, 31 Jan 2016 08:40:03 +0000
Hugo Landau <hlandau@devever.net> wrote:

> You misunderstand, perhaps I should clarify the wording; the server
> never tells. You don't get to know the random subdomains it requests.
> This ensures that the wildcard exists and is under control.
>
> Adding a requirement for base domain control would be fine but I don't
> see the need.

Ohhh, I see.  Yes, I misunderstood.  That seems secure and I agree the
base domain doesn't need to be validated with that scheme.

Perhaps the "hostname" field I proposed could support wildcards.  If the
server sends the client a challenge with a wildcard in the hostname,
the client would need to be prepared to respond to the challenge on any
hostname matching the wildcard.  The CA can choose whether to send
a challenge for "*.example.com" or just "example.com" when validating a
wildcard authz for "*.example.com".

That said, it seems like it might be hard for the client to complete
the challenge when it doesn't know the exact hostnames. Apache and nginx
support wildcards for matching virtual hosts, but do other web servers?
DNS only supports wildcards in the left-most label, so there's no way to
provision a TXT record for _acme-challenge.*.example.com unless you have
a fancy DNS server.  (Although I don't think this scheme is needed with
DNS - I don't think there's a likely scenario where someone could set a
TXT record for _acme-challenge.example.com, but not for _acme-challenge
in any arbitrary sub-domain of example.com.)

-- Andrew