Re: [Acme] ACME subdomains
"Manger, James" <James.H.Manger@team.telstra.com> Thu, 03 September 2020 04:52 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C5BD3A09E1 for <acme@ietfa.amsl.com>; Wed, 2 Sep 2020 21:52:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=team.telstra.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l5Z0i43SEbvM for <acme@ietfa.amsl.com>; Wed, 2 Sep 2020 21:52:26 -0700 (PDT)
Received: from ipxbno.tcif.telstra.com.au (ipxbno.tcif.telstra.com.au [203.35.82.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E0A43A09E0 for <acme@ietf.org>; Wed, 2 Sep 2020 21:52:26 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.76,385,1592834400"; d="scan'208,217";a="379607334"
X-Amp-Result: SKIPPED(no attachment in message)
Received: from unknown (HELO ipcani.tcif.telstra.com.au) ([10.97.216.200]) by ipobni.tcif.telstra.com.au with ESMTP; 03 Sep 2020 14:52:01 +1000
Received: from wsapp6785.srv.dir.telstra.com ([10.75.3.134]) by ipcani.tcif.telstra.com.au with ESMTP; 03 Sep 2020 14:52:01 +1000
Received: from wsapp5585.srv.dir.telstra.com (10.75.3.67) by wsapp6785.srv.dir.telstra.com (10.75.3.134) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 3 Sep 2020 14:52:00 +1000
Received: from AUS01-SY3-obe.outbound.protection.outlook.com (10.172.101.125) by autodiscover.team.telstra.com (10.75.3.67) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 3 Sep 2020 14:52:00 +1000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Fs2y33CjMJ31wrwnpBhURKaiRjMmte/q1+SG5jgmmzcnc6GH5c4H5llER6PEwj+3BZWUbrRi/qHgRZmiTZcHzV5F0JTPvGNA3Y6DRxciel63Xy0X2LXIzLm0jY3Mo5kTi/FL2g1JRwCso5eFRkkwjiikicnx94KmPySMEjQEUa+K67uMcEuTf18IVWT1wzx40hbhbzLHLS9cYWCx56L9hXYhRjXlUuTSQGr89vYWj4K/yR+GmRZap+dJvi+Sf26YUOEmCc5kXo7NP5ssqYWxKwiuB2/1zY11Sg2aDO3msKWQLTrgSs6BboXxuOXc9cX7L0cT/NswI0/4e1GxniAOZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ou0Sk3VbSlzFGoEiMS/kANnTgtBDuBixTu4naykCTTk=; b=Ms7DfIg2WQzdrLbo0yTh3O8pxrtJgpUq9D/6AOKb37FfdoQOdW/WwRmI+bkd42p14HaN1Y2BR+2fuOX/c+ZWOFnHcH7oZUnrRfZ64HTSAHLXrkgWgYpNRWLbvJ8YnlbGGUIepwdHXLM+nedPn8BBnmhpVEHXcbAFm+BlPT8HRwejKQCxKm5+WLEq92N3R5+cRtnQ0T+Ka5R09dMdNrtS5y/PUpcWwH3NfHgnr4OZPgid/PKChC3mJlukJxHXFnKUXkzK2dlVObvwNTbjqShUYxWN1pyePdwkc0reK/vBp9tFTJozB3H74eQ6ZHLZO4PMZk28Mn177hQnJfkIWPepXw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.telstra.com; dmarc=pass action=none header.from=team.telstra.com; dkim=pass header.d=team.telstra.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.telstra.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ou0Sk3VbSlzFGoEiMS/kANnTgtBDuBixTu4naykCTTk=; b=dPw20cPwouau6weoqKD3kzxM28YlTaLjdTicpfEa+Alg7ersVQ+b923X5pRCIqbvwiDkRu2Gvf4TXt2+A5WHNsOjrKfk0fakVeDb3/aBcOf5JWQKhUk1IHC1VNb6G/GKdyaYcCE4/26NS67D0RQeeZBvomeUuewSXxGa+Lc3Jng=
Received: from ME2PR01MB3011.ausprd01.prod.outlook.com (2603:10c6:201:19::12) by MEXPR01MB0872.ausprd01.prod.outlook.com (2603:10c6:200:5::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.15; Thu, 3 Sep 2020 04:51:59 +0000
Received: from ME2PR01MB3011.ausprd01.prod.outlook.com ([fe80::5aa:6c1:56d6:5e93]) by ME2PR01MB3011.ausprd01.prod.outlook.com ([fe80::5aa:6c1:56d6:5e93%6]) with mapi id 15.20.3348.015; Thu, 3 Sep 2020 04:51:58 +0000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: "Owen Friel (ofriel)" <ofriel=40cisco.com@dmarc.ietf.org>, Ryan Sleevi <ryan-ietf@sleevi.com>
CC: Jacob Hoffman-Andrews <jsha@letsencrypt.org>, "acme@ietf.org" <acme@ietf.org>, Felipe Gasper <felipe@felipegasper.com>
Thread-Topic: [Acme] ACME subdomains
Thread-Index: AQHWarjg5Wot2hi3Y0KoQP85BZr/xKkonzMAgCylg4CAAFt6gIAAydIAgAAWQpA=
Date: Thu, 03 Sep 2020 04:51:58 +0000
Message-ID: <ME2PR01MB301195739E6880D831DDC3B6E52C0@ME2PR01MB3011.ausprd01.prod.outlook.com>
References: <AC488DAF-A24F-4B1A-9192-7ACD75F7EF48@felipegasper.com> <CAN3x4QmGDGGbeVXhH9NjMwSRLi97XX+di2tUAO0kNLyfCNABUA@mail.gmail.com> <CY4PR11MB16854D2F1B8E271BB8ABF7BDDB2F0@CY4PR11MB1685.namprd11.prod.outlook.com> <CAErg=HE+0WDTNVCZBnxPP_Mdh_w4LCxc0MOp6ZeMFBt_x5BncA@mail.gmail.com> <CY4PR11MB16855F30DC87D1CA85396D55DB2C0@CY4PR11MB1685.namprd11.prod.outlook.com>
In-Reply-To: <CY4PR11MB16855F30DC87D1CA85396D55DB2C0@CY4PR11MB1685.namprd11.prod.outlook.com>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.100.23
dlp-reaction: no-action
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=team.telstra.com;
x-originating-ip: [203.41.142.253]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 13e9239f-9406-4a95-cbd9-08d84fc5173a
x-ms-traffictypediagnostic: MEXPR01MB0872:
x-microsoft-antispam-prvs: <MEXPR01MB087290DA6F26F980A7BBAE71E52C0@MEXPR01MB0872.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uGD7+mqTBml5MFHn1qCWLleDoqlqj3dDUaYGhZEfq/SKs69xAqN6zf+B3WDQc/trmT9OGD2xDbVREmYQ2OYK6tqz1fKApDoF3zBErCGJwDgS1qboDdqjaKP6Dvp0Wv77fnUx5TuNxCwV/QPUdAFe6At6quhstI7/Y0ioLmiV64f8HbBJ/V5y+XIRrf0xkoAnHcwXcRkD3BFYTN7RDUjNAz5YF4D79G3vdmasxSNwVXEDUOXPG4Nuw9lU1g/V299p4Z9XIQf1x0uUgzrFXdy4A+B7YDOv4EmmV7/dNuOTeg++Rw1pWeCYbAU1+qtfxXsPVWdD6hRHkRBdr3UuknarTS8F2fmt/legfEJ+yf+AogCpiTpV29EhPl+xDFiHZe2IZTN13+0c+R6wIz4qWn9RfQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:ME2PR01MB3011.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(39860400002)(376002)(346002)(396003)(136003)(966005)(26005)(54906003)(110136005)(166002)(86362001)(83080400001)(83380400001)(7696005)(186003)(4326008)(33656002)(316002)(6506007)(478600001)(5660300002)(8936002)(76116006)(66946007)(71200400001)(8676002)(66476007)(2906002)(52536014)(9686003)(66446008)(66556008)(64756008)(55016002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: s2/QlDAk1KuqFiboHX6Vhvilx2x0KnR9QIZjxyFFdgiGmAGCKnAaSVb1qKyB3rlr8F+2atOn6VxGqoeFNzK0FiPUPngNCdEP/FHRjPZepEMqA3Ex4oG4crwHTQwKqi9dIqVFgydUkOgjuleXuKv5CXIdx+xViI0wAfWMVM6bEtwtu7STwxqlq4qdvyGbLsW7KVz6679XB5yxkqx1sy+wJJE1rVAU+UA4dK9pbo66qGOhc1m+9TOiTcgRlC2M48piPjUP1HUsi8r/3VsPar5dNYofExJ7tAeK0J4bZPiEdg4b2ix9117NvsrX+3IbTw8BZaNfyWgOACQ4b8/XEnM96WXDg5wXxaM2Iz9b5HxjkuMlyTlINdt8LtxdBAkPYLxvo8+W9QKrwHN78pBbhNq4ZTQgHbH+6NzgGetzpZMH8sJ1DOnDg6/qUY5hSIrS9COg67kghSS/48ZZysNRTe9LdKyULbsytL0sW+wT42Xc0Fedwii7KIBxf2fM0WOr5wx+9TxYf0FtOzg2fWKCIbgwoJL1QWYbor72VkAZ9QBnvDDg/nNrAUADlbwDb0gwDWanFumdPIwUvAJZnTFqigUGRvYVp099pLxPy+V00O6NW/gYE5jetMEE69T0e0ii9owTXPClrbBEu+MoLvGYY2MeVw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_ME2PR01MB301195739E6880D831DDC3B6E52C0ME2PR01MB3011ausp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: ME2PR01MB3011.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 13e9239f-9406-4a95-cbd9-08d84fc5173a
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Sep 2020 04:51:58.9116 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ISVRhQYXlTRvrkrE48tJCPHs/1JNU++wFxfmAwzXNkPdc/8k/avQ1d22Cq7X+lfcZEL1HPEzGjrq0VCmkH9yeMObWt/JQhomFl+L39v/l/A=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEXPR01MB0872
X-OriginatorOrg: team.telstra.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/TH-TtkMkKmbW-SD0M60uoDqcqJc>
Subject: Re: [Acme] ACME subdomains
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Sep 2020 04:52:29 -0000
>> There’s a lot of mixing of example.org<http://example.org> and example.com<http://example.com> here, in ways I’m having trouble making sense of. I just wanted to confirm those were typos, since we have recently seen some confusion around this space. > I followed the patterns used in RFC8555 which consistently uses example.com as the ACME server base domain and example.org as the client certificate identifier base domain, but yes Ryan I did find this a source of confusion too when reading ACME. > > For clarity, I replaced all example.com with acmeserver.com, and left all the client identifiers as example.org. https://tools.ietf.org/html/draft-friel-acme-subdomains-02 and https://github.com/upros/acme-subdomains/blob/master/draft-friel-acme-subdomains.md don’t seem to follow RFC 8555’s convention at all, which could be the confusion. Trampling on another arbitrary domain name – acmeserver.com – is worse; unless you can think of an additional domain name to reserve with an update to RFC 6761 Special-Use Domain Names. Stick with the RFC 8555 ACME convention. Maybe tweak it to be, say, site.example.org and ca.example.com if that is clearer. Plus a sentence stating the convention used would help. -- James Manger
- [Acme] ACME subdomains Felipe Gasper
- Re: [Acme] ACME subdomains Jacob Hoffman-Andrews
- Re: [Acme] ACME subdomains Owen Friel (ofriel)
- Re: [Acme] ACME subdomains Ryan Sleevi
- Re: [Acme] ACME subdomains Owen Friel (ofriel)
- Re: [Acme] ACME subdomains Manger, James
- Re: [Acme] ACME subdomains Salz, Rich
- Re: [Acme] ACME subdomains Ryan Sleevi