Re: [Acme] expiry in dns-account-01
James Kasten <jdkasten@umich.edu> Fri, 22 March 2024 04:18 UTC
Return-Path: <jdkasten@umich.edu>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA574C15198B for <acme@ietfa.amsl.com>; Thu, 21 Mar 2024 21:18:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hmkOim3uDeav for <acme@ietfa.amsl.com>; Thu, 21 Mar 2024 21:18:12 -0700 (PDT)
Received: from mail-yw1-x1131.google.com (mail-yw1-x1131.google.com [IPv6:2607:f8b0:4864:20::1131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43D5AC15153F for <acme@ietf.org>; Thu, 21 Mar 2024 21:18:06 -0700 (PDT)
Received: by mail-yw1-x1131.google.com with SMTP id 00721157ae682-60a5a11b59dso18353997b3.0 for <acme@ietf.org>; Thu, 21 Mar 2024 21:18:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; t=1711081085; x=1711685885; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=k9UECuD/tuDYFAzcIPmVk1twSeYwklw0wYuymTKy8EM=; b=cU0WySXgxxvFL7aaOUgsMmjPITMeYFD3YDFeRHKYWQ/zVhRXTY4eG7S59uwDpVDQWn +ET5b1E8FOmLohgtZJ94ccrZyoPDemyVBL4CdgtK4r2VYGWQJiNL9vaa52o5WPUuBT6X xJDqMUIe88/8O+qGE/jKL+avSJ4afg+GQiHD5xn+ahvA4hDT3BPPD4QTtwOLJi5y5Pb7 h1L4T68YfWBh9sKq2v20G7c/9y9Q+5kxfyVkh+Lg7/7U+U2g3tdJeKOygXXcSSYClofy kEhg2Xu07mOMyo/D/2ubJ5mrsRFJzRQhFMel0xFVdT/6lO2RWSVNqcJbAYKeBWp+tKHB J/uQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711081085; x=1711685885; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=k9UECuD/tuDYFAzcIPmVk1twSeYwklw0wYuymTKy8EM=; b=CM6nurW9VfuOZH9rU9b91rfVlQI+ZbT+5LIisA+kvZGgRvzJsvKvuQzzmck/pDEz9r gZSiIJR0dNaDjROzokknifUBwGk4oVxndNVqtZpM17sVjkTiJP+a0RRKaEi3bRyxVfIo k3QqbRCw+qXV0TH6QRQM4ugoRNyj/gq1x98vD0bc2phhWsv37SYCEesaTbmFEAdg3YOf 7EOMH2Zc0Urytt5Ljf9qEGZ26e0661ianenxG0cyE/K/jSAbNgDdWXUzhMo5EZaixOpF ZeD4hyXMC5MK5vx/N55/J7L9y4WMmAHmmAlALtFSuvD4a3hZbXmbN+uD/MYC0ImunKNi kyrw==
X-Gm-Message-State: AOJu0YxG5Hl5XdnRbJDf/nzC5l8PYXaiuegShpzMAwT6IGGYHvo8Is/3 DI899B83dgQ8h4XWwLQ0+Trj0bDhWz82z3SLLSpMkU7UZQMYfFL0HrUMQAfPyeQISSbGAvDVh8I DM3mRJ+EFNO3iL7J/bbYOXH4/AOPwG5Q7NHKDOJE+WIq0sCldBoA=
X-Google-Smtp-Source: AGHT+IF6ZnVkrYSiNazboVF+HhITXn71YBJb04YxUrlg2IpI7H9o1nZUkvpTwjIT5ECsfr1gzVJESALUe1XGfUdtSyM=
X-Received: by 2002:a25:8001:0:b0:dd1:2f58:292b with SMTP id m1-20020a258001000000b00dd12f58292bmr1123112ybk.9.1711081084658; Thu, 21 Mar 2024 21:18:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAN3x4QkwmVDYt9xsoBaEfH2WQg5jr8J_73GB2JYVM3+z3TLjwQ@mail.gmail.com>
In-Reply-To: <CAN3x4QkwmVDYt9xsoBaEfH2WQg5jr8J_73GB2JYVM3+z3TLjwQ@mail.gmail.com>
From: James Kasten <jdkasten@umich.edu>
Date: Thu, 21 Mar 2024 21:17:53 -0700
Message-ID: <CAAEpsx-_ZPBmwrzLks2s+U5_scHsO90-d6YSB4qL++AOMZdfug@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha=40letsencrypt.org@dmarc.ietf.org>
Cc: acme@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003bc7420614381c34"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/XbXpOSzrOLlmsdWNnVDRFZOTFz4>
Subject: Re: [Acme] expiry in dns-account-01
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2024 04:18:17 -0000
Hi Jacob, What use case did you have in mind for including the expiration date in the RDATA? We didn't choose to initially include it as we believed the instructions for when a validation record could be removed were clear with ACME. ACME challenge tokens are only used once and have the expiry of the associated authorization object as you mentioned. The dnsop draft goes on to state "The 'expiry' key MAY be omitted in cases where the provider has clarified the record expiry policy out-of-band (Appendix A.1.1.3 <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-domain-verification-techniques-03#appendix-A.1.1.3>)" [Section 5.2.1 <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-domain-verification-techniques-03#name-metadata-for-expiry> ]. In regards to allowing clients to preemptively shorten lifetimes of authorizations, it would be nice to attempt to quantify the expected savings from the server standpoint and to talk to clients to see how they would use the feature. I suspect that some clients currently using authorization deactivation would continue to do so even if they could specify shorter lifetimes. They require authorization deactivation immediately upon issuance. I don't currently have any hard data though. I agree that adding the feature would best be achieved with a separate draft. James On Tue, Mar 19, 2024 at 5:23 PM Jacob Hoffman-Andrews <jsha= 40letsencrypt.org@dmarc.ietf.org> wrote: > The latest dns-account-01 draft ( > https://datatracker.ietf.org/doc/html/draft-ietf-acme-scoped-dns-challenges-00) > incorporates recommendations from the dnsop domain control verification > draft ( > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-domain-verification-techniques-03 > ). > > The dnsop draft says: > > > Providers MUST provide clear instructions on when a validation record > can be removed. These instructions SHOULD be encoded in the RDATA via > comma-separated ASCII key-value pairs [RFC1464], using the key "expiry" to > hold a time after which it is safe to remove the validation record. > > But the ACME draft doesn't specify that. I think it should! The specified > expiry should be the expiry of the pending authorization object. After that > point, the challenge will never be validated and the record can be removed. > > This brings up a separate question: Should subscribers be able to specify > what maximum lifetime they want for the validated authorization? For > instance some subscribers might want to never reuse authorizations. > Currently they can achieve that by deactivating authorizations after > issuance, but it could be more convenient to do it preemptively. One option > would be to encode it in the TXT record. But if we specify such a thing I > think we'd want it to work for any challenge type, probably by making it > part of the challenge POST. So, out of scope for this draft, I think. > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] expiry in dns-account-01 Jacob Hoffman-Andrews
- Re: [Acme] expiry in dns-account-01 James Kasten