IETF Logo Mail Archive

Re: [Acme] orders, authorizations, and identifiers (oh my)

Daniel McCarney <cpu@letsencrypt.org> Tue, 16 July 2019 14:42 UTC

Return-Path: <dmccarney@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADD3012069F for <acme@ietfa.amsl.com>; Tue, 16 Jul 2019 07:42:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wbWtB47clrEa for <acme@ietfa.amsl.com>; Tue, 16 Jul 2019 07:42:45 -0700 (PDT)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 552A5120690 for <acme@ietf.org>; Tue, 16 Jul 2019 07:42:45 -0700 (PDT)
Received: by mail-wr1-x42a.google.com with SMTP id f9so21223622wre.12 for <acme@ietf.org>; Tue, 16 Jul 2019 07:42:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=vtKTo1sLsu3GrwqSxQNemBNHBzRBQPOQgkJjjY9eb74=; b=FVxUbbG0GHZqTccq9hhnLt5wdq7lalSHGNg61pDIkVwmV9Bvv/Xi3jd5WDJO6fdhXJ 7+Q1lUbzwzXFE8tiCYcVHXnRuGb4tbfijbFIPzputK0ywii42oTL5+wmlFSEkiOhGR2v JnsuaXFaPAlu8MdUw4c9APQNZUfn7RudupTt0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=vtKTo1sLsu3GrwqSxQNemBNHBzRBQPOQgkJjjY9eb74=; b=Epca0LzeQo9n1gSumU8bcDbMd+muEBpLtSuvunJlZnY4AT/bMgYcZRkC3oDpD8ml6P RU9HAQuNJ6uWhAq4bGkkRtMP03Own9EetuSGN3xiFEdKs72x7Km6lid2UMsy8QP6yTcj C9FRoBr34TPHo7xyuobHhA5+j9HWQ3o395oN+rr06tnXGaHY1YUF1KtMiJp6C2HDilmp OEbfEC9zGjVnGnh6vURGa0oJUS+71yfgaVTgmGINVIp74TQvs1rMedE8W0M0ZV1C4D+v xrE3iTS01opHdQc6yl3s0r75WDHuGXrRo6071jaffuljix1FXlTnqJz11Fo50hvWoIed 3YHg==
X-Gm-Message-State: APjAAAWgQKssSTN/DKRh/eMNgmh3xRmADVWivOlHYONAwCnUjmGLWRjb 1ATahaM+Wt1jmyvHAhGLx+e2LVugVwDh8eyFnrgRBFq9Xv4=
X-Google-Smtp-Source: APXvYqz++8BFQJsyDFdwIvnd8m81tvoKqA44lvaY2BVLwZ12iU6XFTWYspj20pyttolM0DB5NC+hoAYMScmGaANQeCA=
X-Received: by 2002:adf:e442:: with SMTP id t2mr30790368wrm.286.1563288163744; Tue, 16 Jul 2019 07:42:43 -0700 (PDT)
MIME-Version: 1.0
References: <21BBD7F5-8D80-4ACC-B51F-B362A39A5A93@felipegasper.com> <CAKnbcLiQ5+byqfTtf8WA7QPYLufc6TFb97dAFH0Tdc5XzJusZQ@mail.gmail.com> <BAF155C7-90CF-4FE5-BE24-35BD9FDFA900@felipegasper.com> <CAKnbcLjF_6x4nkht4CzJBomMwzVXkTQz1p5b=ioaVcT+PnumbQ@mail.gmail.com> <8A5474D4-AC64-431E-96E5-F5EFF989235E@felipegasper.com>
In-Reply-To: <8A5474D4-AC64-431E-96E5-F5EFF989235E@felipegasper.com>
Reply-To: cpu@letsencrypt.org
From: Daniel McCarney <cpu@letsencrypt.org>
Date: Tue, 16 Jul 2019 10:42:32 -0400
Message-ID: <CAKnbcLgWOhrdZxq4x1=YAyP2mp+KF_gER33LYvfvE+S17escEw@mail.gmail.com>
To: Felipe Gasper <felipe@felipegasper.com>
Cc: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ae89fe058dcd631a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/RSGdnUuefV0Y1JLvfe2NiNdJSUQ>
Subject: Re: [Acme] orders, authorizations, and identifiers (oh my)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 14:42:49 -0000

>
> I get that; what I’m looking to confirm--and I’m reasonably sure is the
> case--is that, given a failed order, it’s up to server policy to spell out
> whether a client may reasonably suppose that a 2nd order against a subset
> of the identifiers from the 1st order would pass all of the 2nd set of
> authzs.


Ahhh, gotcha! Apologies for misunderstanding that was the crux of the
follow-up q.

Going back to the hypothetical Fred/Jane/Pat CA, though, for a client to
> know how to submit that 2nd order there would need to be some policy
> external to ACME that would indicate the feasibility of such a thing.

Does that sound right?


Yes, I think it does. Maybe there's something clever you could do with the
problems returned during the initial order flow that would help hint to
this but I'm uncertain.



On Tue, Jul 16, 2019 at 10:35 AM Felipe Gasper <felipe@felipegasper.com>
wrote:

> I get that; what I’m looking to confirm--and I’m reasonably sure is the
> case--is that, given a failed order, it’s up to server policy to spell out
> whether a client may reasonably suppose that a 2nd order against a subset
> of the identifiers from the 1st order would pass all of the 2nd set of
> authzs.
>
> For LE, for example, a client can simply look at the ids of the failed
> authzs and omit those ids from the 2nd order.
>
> Going back to the hypothetical Fred/Jane/Pat CA, though, for a client to
> know how to submit that 2nd order there would need to be some policy
> external to ACME that would indicate the feasibility of such a thing.
>
> Does that sound right?
>
> -F
>
> > On Jul 16, 2019, at 10:24 AM, Daniel McCarney <cpu@letsencrypt.org>
> wrote:
> >
> > So if we tell the human operator, “Jane & Pat gave the OK, but Fred said
> not”, then it’s left to server policy to determine whether that means a
> hypothetical order with just one or the other domain would pass all authzs?
> >
> > No, if the server returned three authorizations all three must be
> status=valid for the order to be ready for issuance. Earlier drafts had a
> notion of challenge combinations that would allow something sort of similar
> but it was dropped.
> >
> > Per 7.1.6:
> >
> > Order objects are created in the "pending" state. Once all of the
> authorizations listed in the order object are in the "valid" state, the
> order transitions to the "ready" state.
> >
> > The server policy is exercised by the choice of
> authorizations/challenges in the pending order, not by the client deciding
> which authorizations in an order to satisfy.
> >
> > On Tue, Jul 16, 2019 at 10:11 AM Felipe Gasper <felipe@felipegasper.com>
> wrote:
> >
> > > On Jul 16, 2019, at 9:28 AM, Daniel McCarney <cpu@letsencrypt.org>
> wrote:
> > >
> > > So it would be reasonable for this order to contain a single authz …
> and would that authz’s identifier be just “example.com”, then? Thus that
> authz object would not reference “www”, even though it is that domain’s
> corresponding authz object? Or would a client be accountable for
> implementing a “best-match authz” lookup to determine which authz
> corresponds to a given domain?
> > >
> > > Yes, I would expect the order's one authorization to have the
> identifier "example.com".
> > >
> > > I believe the confusion here is when you say "even though it is that
> domain's corresponding authz object" and "Since the order requires
> successful authz for both domains".
> > >
> > > For the first part, as I understand there is no guaranteed
> correspondence between any of the identifiers in the order request and the
> identifiers in the returned authorizations. That's what the sentence you
> quoted on p26 is meant to convey. The client shouldn't attempt to match
> authz's to requested identifiers at all, it should just look at the
> identifiers in the authorizations returned by the server and prove control
> of those identifiers with the challenges available.
> >
> > Thank your for your response. I think I see what’s going on.
> >
> > To flesh out a hypothetical a bit more:
> >
> > order identifiers: example.com, www.example.com
> >
> > authzs:
> >   0)
> >     - identifier: { type: person, value: Fred }
> >     - challenge: ask if it’s ok
> >   1)
> >     - identifier: { type: person, value: Jane }
> >     - challenge: ask if it’s ok
> >   2)
> >     - identifier: { type: person, value: Pat }
> >     - challenge: ask if it’s ok
> >
> > So if we tell the human operator, “Jane & Pat gave the OK, but Fred said
> not”, then it’s left to server policy to determine whether that means a
> hypothetical order with just one or the other domain would pass all authzs?
> >
> > -F
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
>
>

v2.23.0 | Report a Bug | By Email