Re: [Acme] ACME subdomains

Jacob Hoffman-Andrews <jsha@letsencrypt.org> Tue, 04 August 2020 23:53 UTC

Return-Path: <jsha@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0FE43A11F8 for <acme@ietfa.amsl.com>; Tue, 4 Aug 2020 16:53:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dmYmlwVWifqN for <acme@ietfa.amsl.com>; Tue, 4 Aug 2020 16:53:01 -0700 (PDT)
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E17323A11F6 for <acme@ietf.org>; Tue, 4 Aug 2020 16:53:00 -0700 (PDT)
Received: by mail-qk1-x72a.google.com with SMTP id l23so40205573qkk.0 for <acme@ietf.org>; Tue, 04 Aug 2020 16:53:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ma1BFz3cgpyvUtNgtBUXES2TKRq45nX9z4WfOLgCLGw=; b=L+Sm2tsbHpWanTqJ2t2/YRQ79f9l9DRwc+/tyoGXD7A6rhmfew08v0xHoryFcb08Mo XILdlYLcTdOLt5jCtjXaVV3dKt6NunHxGjj5UpxZZU52fq7uxj9eR9N9rOocZQqx+y+3 ctBYFpN6HXIcJLcjOCY5WUPBEFM855RQ5C/HE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ma1BFz3cgpyvUtNgtBUXES2TKRq45nX9z4WfOLgCLGw=; b=aEiqGHWgkHpmGj/XKLlz2ryxJbAkP5fB90N0i/10Fx6JUVOxqHGZUMKc88CLjglS84 bSlfpAWU2g3ojfY4nyOgtDcBREjfVjz1I4raZa9HTpdYmbW1IB/3oDJd8AMYY+/GN/Js e5RdagYnNmKQGuaIEXgaru4Aj7U2OmshdRcfptxVwsx0JXF9n0uVFZ5fmXQioBobfxWP N0i4jMRxanJfXoA93Du5ylxI0nJy8QMhwSJtUrqlwPos9l6RO4pFP5Z8QtzhdNPNNdd1 G1lYxp//nnv9NkvzAaCGvEC5UZ9LWgh0iaLOL9zzyg/mf8pxrm33yquxXM3YJjh05YBj PDmA==
X-Gm-Message-State: AOAM532quQ8Maixx/bE9tLK9cJQ9tyDHWnHqP7SCKidG6aAqRyFmL5/W lWtzRqG2a8VDnXNWwNo/d6eTBkxOMYF/zXmzinQ8+ibB
X-Google-Smtp-Source: ABdhPJy3nUyeq9kOAGK/oo8yG7b/LDgBj7I06YrFPeVdnauDMMRm53T7VRSk9IwUJxclCgPxNgWvbEQBBvKT/AGJeSY=
X-Received: by 2002:a37:48c7:: with SMTP id v190mr717098qka.153.1596585179981; Tue, 04 Aug 2020 16:52:59 -0700 (PDT)
MIME-Version: 1.0
References: <AC488DAF-A24F-4B1A-9192-7ACD75F7EF48@felipegasper.com>
In-Reply-To: <AC488DAF-A24F-4B1A-9192-7ACD75F7EF48@felipegasper.com>
From: Jacob Hoffman-Andrews <jsha@letsencrypt.org>
Date: Tue, 4 Aug 2020 16:52:34 -0700
Message-ID: <CAN3x4QmGDGGbeVXhH9NjMwSRLi97XX+di2tUAO0kNLyfCNABUA@mail.gmail.com>
To: Felipe Gasper <felipe@felipegasper.com>
Cc: acme@ietf.org
Content-Type: multipart/alternative; boundary="00000000000081cdc705ac15f494"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Ux9aUhwSmB0jj3lnPudNQhOvgwY>
Subject: Re: [Acme] ACME subdomains
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2020 23:53:03 -0000

I haven't followed the "ACME for subdomains" conversation closely, but the
base semantics of ACME are designed such that they can express "all of"
semantics AND "one of" semantics. For a given Order, a client has to fulfil
*all* the Authorizations; for a given Authorization, a client has to
fulfil *one
of* the Challenges.

To take advantage of this, you would need to define a new challenge type
that expresses validating a parent domain. For instance "dns-parent-01." It
would contain the name of the parent domain as a field.

If a server has the policy that validating control of either
foo.bar.example.com or example.com is sufficient to issue for
foo.bar.example.com, it would respond to newOrder requests for
foo.bar.example.com by creating an Order with one Authorization (for
foo.bar.example.com), and that Order would have two Challenges: "dns-01"
and "dns-parent-01" (with a parent domain of "example.com"). The client
could then choose which challenge to attempt.