Re: [Acme] acme subdomains open items

Felipe Gasper <felipe@felipegasper.com> Fri, 04 December 2020 13:34 UTC

Return-Path: <felipe@felipegasper.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44CFB3A0CBB for <acme@ietfa.amsl.com>; Fri, 4 Dec 2020 05:34:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=felipegasper.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mroDl1wV7GXU for <acme@ietfa.amsl.com>; Fri, 4 Dec 2020 05:34:36 -0800 (PST)
Received: from web1.siteocity.com (web1.siteocity.com [172.241.25.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A9013A0CC1 for <acme@ietf.org>; Fri, 4 Dec 2020 05:34:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=felipegasper.com; s=default; h=To:In-Reply-To:Cc:References:Message-Id:Date :Subject:Mime-Version:From:Content-Transfer-Encoding:Content-Type:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=DYNSAnFIzk+Je7/WO8NExzTvT0cwyXX7BTJqSsINo30=; b=cDOffEvnB6jXOdLEWTEmlKKX8s xFWBBw0o7Fo3rcLZi5Afyf39fkYx9fbcjkm/qxgSus+GdVHHTH3+CzX1p7f1WVhM6Zw9FprP2G/W+ wY6QEBr4Snwe8H5p0hA7o1tNUwV4EjZnAr5nH8uxJ5esFPaSPaKdvcClyM1PZPYbKvHmY/uOztRGp 8b114aVXmPBpeb1iwtHFztJVijChIQZWe9KBusfSC4WL6qPIVL95j2ASWP0mgbnMeLBzXlvYmPTCz YTeurxxiSYBi1oU3lTANuRF/piUFqdWIBbhxDaG68oQUkg++9cEVG/GK9RGuW8wTXvbs2oIfVOl+o +e+ICgvg==;
Received: from [149.248.87.40] (port=49783 helo=[192.168.86.243]) by web1.siteocity.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <felipe@felipegasper.com>) id 1klBEG-0005bk-2A; Fri, 04 Dec 2020 07:34:34 -0600
Content-Type: multipart/alternative; boundary="Apple-Mail-DA3ADCFA-B075-40AC-9378-3D641A16167D"
Content-Transfer-Encoding: 7bit
From: Felipe Gasper <felipe@felipegasper.com>
Mime-Version: 1.0 (1.0)
Date: Fri, 04 Dec 2020 08:34:30 -0500
Message-Id: <CA7603D9-DFDA-4FA6-A76C-D4E0E638A956@felipegasper.com>
References: <CY4PR11MB168504F6D4CF495E8AE8F729DBF10@CY4PR11MB1685.namprd11.prod.outlook.com>
Cc: acme@ietf.org
In-Reply-To: <CY4PR11MB168504F6D4CF495E8AE8F729DBF10@CY4PR11MB1685.namprd11.prod.outlook.com>
To: "Owen Friel (ofriel)" <ofriel=40cisco.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (18B92)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - web1.siteocity.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - felipegasper.com
X-Get-Message-Sender-Via: web1.siteocity.com: authenticated_id: fgasper/from_h
X-Authenticated-Sender: web1.siteocity.com: felipe@felipegasper.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/RemViTyPtCJtcga6XWOJWtXGQBU>
Subject: Re: [Acme] acme subdomains open items
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 13:34:38 -0000

I wasn’t part of IETF 109 .. was it discussed simply to give CAs the ability to choose whether it tries authz against parent domains without the client’s requesting it?

This is how our (non-ACME) Sectigo integration works currently, and it suits us well.

-F

> On Dec 4, 2020, at 02:23, Owen Friel (ofriel) <ofriel=40cisco.com@dmarc.ietf.org> wrote:
> 
> 
> Hi all,
>  
> As recommended by the chairs at IETF109, bring the two open items to the list for discussion. These were raised by Felipe and Ryan previously.
>  
> 1: Does the client need a mechanism to indicate that they want to authorize a parent domain and not the explicit subdomain identifier? Or a mechanism to indicate that they are happy to authorize against a choice of identifiers?
>  
> E.g. for foo1.foo2.bar.example.com, should the client be able to specify anywhere from 1 to 4 identifiers they are willing to fulfil challenges for?
>  
> 2: Does the server need a mechanism to provide a choice of identifiers to the client and let the client chose which challenge to fulfil?
>  
> E.g. for foo1.foo2.bar.example.com, should the server be able to specify anywhere from 1 to 4 identifiers that the client can pick from to fulfil?
>  
> Both 1 and 2 require JSON object definition changes. Currently, the document only defines how a client can submit a newOrder / newAuthz for a subdomain, and the server can chose any one parent identifier that it requires a challenge fulfilment on
>  
> Owen
>  
> https://datatracker.ietf.org/meeting/109/materials/slides-109-acme-subdomains-01
>  
> https://tools.ietf.org/html/draft-friel-acme-subdomains-03#section-4
>  
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme