Re: [Acme] Optional "Wildcard" authorization field
Richard Körber <acme2@ml.shredzone.de> Fri, 02 March 2018 20:26 UTC
Return-Path: <acme2@ml.shredzone.de>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8891127369 for <acme@ietfa.amsl.com>; Fri, 2 Mar 2018 12:26:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=shredzone.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NpXvJ4FkNPJ0 for <acme@ietfa.amsl.com>; Fri, 2 Mar 2018 12:26:06 -0800 (PST)
Received: from arrietty.shredzone.net (arrietty.shredzone.net [213.133.102.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E254F12D7F1 for <acme@ietf.org>; Fri, 2 Mar 2018 12:26:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=shredzone.net; s=dkim_1; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=P23Ut+ORqewinrAqwBxs75Hom/fnh1/FsjL0qZJpml0=; b=QHDKMeiBy4+3/wfh7OkeOQKcqm bed+Jxjkn7Azow7Hmu+QvpbgJ8iyHJPAQzGM7l5J/1aTMi0neOCkFAeEPZAkaSXJdEGixelGJmfYa pdCO4Sf9puGvKV3uJ8teaF7y83Swh0pzA0hLYExtOaoDsQE9DZg7eITMEwOPFOTNm/A4=;
Received: from static-87-79-75-184.netcologne.de ([87.79.75.184] helo=ronja.home) by arrietty.shredzone.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from <acme2@ml.shredzone.de>) id 1errFk-00085T-Dx for acme@ietf.org; Fri, 02 Mar 2018 21:26:04 +0100
To: acme@ietf.org
References: <CAKnbcLjuVPZa5P2FZa_cKAGmk1dP6ezrv3AgWSp9KK5HCzxPbg@mail.gmail.com> <CAL02cgQwZzKXvPsWr=tAbB-bi2s-gw3+TtJwkawHoEEb=6MiFw@mail.gmail.com> <CAKnbcLiQdjaPN32j8WOo5vhvfoTvHPYZj5pictb47ZTWvmJXYA@mail.gmail.com> <D423B0BF-E0A8-462F-8937-BB70EF490314@felipegasper.com>
From: Richard Körber <acme2@ml.shredzone.de>
Message-ID: <ae2d48d0-d4b3-9d58-0059-d4dae1e230d6@ml.shredzone.de>
Date: Fri, 02 Mar 2018 21:26:04 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <D423B0BF-E0A8-462F-8937-BB70EF490314@felipegasper.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: de-DE
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/SUarRD7XIIINX43x5eeJGHQgI5Q>
Subject: Re: [Acme] Optional "Wildcard" authorization field
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Mar 2018 20:26:09 -0000
Hi!
I also see the problem that clients might get confused because there are
seemingly two authentications for the very same domain ("example.com").
Without a proper flag, they could only be distinguished by the different set
of challenges, but that would assume knowledge of server internas.
Also, the client could actively validate the authorization having
wildcard=true first, and then could check if it is still necessary to do the
other authorization. Depending on the server implementation, if verifying the
wildcard domain also validates the domain itself, it could save an unnecessary
challenge round trip.
--
Richard Körber
Am 02.03.2018 um 19:28 schrieb Felipe Gasper:
> One (fairly) obvious use of the “wildcard” flag is for status reporting without the context of the original newOrder. The client can thus more easily say:
>
> Authorization for “*.example.com”: $message
>
> … without having to correlate the authz object with the order.
>
> -FG
>
>> On Mar 2, 2018, at 12:32 PM, Daniel McCarney <cpu@letsencrypt.org> wrote:
>>
>> Richard: That's up to the client and the situation. In the linked Certbot issues there were questions about error output/UX. In this case if the client saw an error attached to an authorization with the identifier `{ "type": "dns", "value": "example.com"}` and the authorization had `wildcard: true` the client could say "Failed to authorize *.example.com: blah blah blah" or otherwise use the knowledge to inform their actions (whatever they may be).
>>
>> In general I think there will be reason for client developers will want to have a standardized way of understanding if an authorization corresponds to a wildcard identifier or not. I'm hopeful some client developers will chime in with more concrete examples, I'm a server-side grunt.
>>
>> - Daniel / cpu
>>
>> On Fri, Mar 2, 2018 at 12:29 PM, Richard Barnes <rlb@ipv.sx> wrote:
>> Daniel: I don't have a strong objection here, but could you elaborate what the client is expected to do differently based on this flag?
>>
>> On Fri, Mar 2, 2018 at 12:22 PM, Daniel McCarney <cpu@letsencrypt.org> wrote:
>> Hi folks,
>>
>> There is a slight disconnect with the current specification between identifiers in newOrder/newAuthz requests and identifiers in authorization objects. The former is allowed to include wildcard domains in the value of DNS type identifiers while the latter is forbidden.
>>
>> Let's Encrypt's implementation of ACME wildcard issuance guessed this might lead to confusion and introduced a non-standardized "Wildcard" boolean field in authorization objects. If true, then the identifier value in the authorization identifier is known to be the base domain corresponding to a wildcard identifier from the newOrder/newAuthz request.
>>
>> I think it would be beneficial to the entire ecosystem if this optional "wildcard" authz field could be standardized so I've sent a small PR: https://github.com/ietf-wg-acme/acme/pull/402 Both Certbot and ACME4J have independently bumped into this disconnect, which helps justify the need.
>>
>> - Daniel / cpu
>>
>>
>>
>>
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
>>
>>
>>
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>
- [Acme] Optional "Wildcard" authorization field Daniel McCarney
- Re: [Acme] Optional "Wildcard" authorization field Richard Barnes
- Re: [Acme] Optional "Wildcard" authorization field Daniel McCarney
- Re: [Acme] Optional "Wildcard" authorization field Felipe Gasper
- Re: [Acme] Optional "Wildcard" authorization field Richard Körber
- Re: [Acme] Optional "Wildcard" authorization field Richard Körber
- Re: [Acme] Optional "Wildcard" authorization field Brad Warren
- Re: [Acme] Optional "Wildcard" authorization field Sophie Herold
- Re: [Acme] Optional "Wildcard" authorization field Daniel McCarney
- Re: [Acme] Optional "Wildcard" authorization field Richard Barnes
- Re: [Acme] Optional "Wildcard" authorization field Daniel McCarney