Re: [Acme] ACME subdomains
Jacob Hoffman-Andrews <jsha@letsencrypt.org> Tue, 04 August 2020 23:53 UTC
Return-Path: <jsha@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0FE43A11F8 for <acme@ietfa.amsl.com>; Tue, 4 Aug 2020 16:53:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dmYmlwVWifqN for <acme@ietfa.amsl.com>; Tue, 4 Aug 2020 16:53:01 -0700 (PDT)
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E17323A11F6 for <acme@ietf.org>; Tue, 4 Aug 2020 16:53:00 -0700 (PDT)
Received: by mail-qk1-x72a.google.com with SMTP id l23so40205573qkk.0 for <acme@ietf.org>; Tue, 04 Aug 2020 16:53:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ma1BFz3cgpyvUtNgtBUXES2TKRq45nX9z4WfOLgCLGw=; b=L+Sm2tsbHpWanTqJ2t2/YRQ79f9l9DRwc+/tyoGXD7A6rhmfew08v0xHoryFcb08Mo XILdlYLcTdOLt5jCtjXaVV3dKt6NunHxGjj5UpxZZU52fq7uxj9eR9N9rOocZQqx+y+3 ctBYFpN6HXIcJLcjOCY5WUPBEFM855RQ5C/HE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ma1BFz3cgpyvUtNgtBUXES2TKRq45nX9z4WfOLgCLGw=; b=aEiqGHWgkHpmGj/XKLlz2ryxJbAkP5fB90N0i/10Fx6JUVOxqHGZUMKc88CLjglS84 bSlfpAWU2g3ojfY4nyOgtDcBREjfVjz1I4raZa9HTpdYmbW1IB/3oDJd8AMYY+/GN/Js e5RdagYnNmKQGuaIEXgaru4Aj7U2OmshdRcfptxVwsx0JXF9n0uVFZ5fmXQioBobfxWP N0i4jMRxanJfXoA93Du5ylxI0nJy8QMhwSJtUrqlwPos9l6RO4pFP5Z8QtzhdNPNNdd1 G1lYxp//nnv9NkvzAaCGvEC5UZ9LWgh0iaLOL9zzyg/mf8pxrm33yquxXM3YJjh05YBj PDmA==
X-Gm-Message-State: AOAM532quQ8Maixx/bE9tLK9cJQ9tyDHWnHqP7SCKidG6aAqRyFmL5/W lWtzRqG2a8VDnXNWwNo/d6eTBkxOMYF/zXmzinQ8+ibB
X-Google-Smtp-Source: ABdhPJy3nUyeq9kOAGK/oo8yG7b/LDgBj7I06YrFPeVdnauDMMRm53T7VRSk9IwUJxclCgPxNgWvbEQBBvKT/AGJeSY=
X-Received: by 2002:a37:48c7:: with SMTP id v190mr717098qka.153.1596585179981; Tue, 04 Aug 2020 16:52:59 -0700 (PDT)
MIME-Version: 1.0
References: <AC488DAF-A24F-4B1A-9192-7ACD75F7EF48@felipegasper.com>
In-Reply-To: <AC488DAF-A24F-4B1A-9192-7ACD75F7EF48@felipegasper.com>
From: Jacob Hoffman-Andrews <jsha@letsencrypt.org>
Date: Tue, 04 Aug 2020 16:52:34 -0700
Message-ID: <CAN3x4QmGDGGbeVXhH9NjMwSRLi97XX+di2tUAO0kNLyfCNABUA@mail.gmail.com>
To: Felipe Gasper <felipe@felipegasper.com>
Cc: acme@ietf.org
Content-Type: multipart/alternative; boundary="00000000000081cdc705ac15f494"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Ux9aUhwSmB0jj3lnPudNQhOvgwY>
Subject: Re: [Acme] ACME subdomains
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2020 23:53:03 -0000
I haven't followed the "ACME for subdomains" conversation closely, but the base semantics of ACME are designed such that they can express "all of" semantics AND "one of" semantics. For a given Order, a client has to fulfil *all* the Authorizations; for a given Authorization, a client has to fulfil *one of* the Challenges. To take advantage of this, you would need to define a new challenge type that expresses validating a parent domain. For instance "dns-parent-01." It would contain the name of the parent domain as a field. If a server has the policy that validating control of either foo.bar.example.com or example.com is sufficient to issue for foo.bar.example.com, it would respond to newOrder requests for foo.bar.example.com by creating an Order with one Authorization (for foo.bar.example.com), and that Order would have two Challenges: "dns-01" and "dns-parent-01" (with a parent domain of "example.com"). The client could then choose which challenge to attempt.
- [Acme] ACME subdomains Felipe Gasper
- Re: [Acme] ACME subdomains Jacob Hoffman-Andrews
- Re: [Acme] ACME subdomains Owen Friel (ofriel)
- Re: [Acme] ACME subdomains Ryan Sleevi
- Re: [Acme] ACME subdomains Owen Friel (ofriel)
- Re: [Acme] ACME subdomains Manger, James
- Re: [Acme] ACME subdomains Salz, Rich
- Re: [Acme] ACME subdomains Ryan Sleevi