Re: [Acme] Fwd: New Version Notification for draft-ietf-acme-star-delegation-01.txt
Ryan Sleevi <ryan-ietf@sleevi.com> Thu, 10 October 2019 15:16 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BD99120026 for <acme@ietfa.amsl.com>; Thu, 10 Oct 2019 08:16:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.476
X-Spam-Level:
X-Spam-Status: No, score=-1.476 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.172, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jOfQMJesMrqn for <acme@ietfa.amsl.com>; Thu, 10 Oct 2019 08:16:29 -0700 (PDT)
Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A52FF12008B for <acme@ietf.org>; Thu, 10 Oct 2019 08:16:28 -0700 (PDT)
Received: by mail-ed1-f45.google.com with SMTP id t3so5785149edw.13 for <acme@ietf.org>; Thu, 10 Oct 2019 08:16:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FAB+y/0d2y2hO+J99/WMMrBmTRhLTxUO4l7UcPrfcIo=; b=tloRdPeX4gQVyg8s+LzlUNWmfyX4yL/UTD6ZhqhmI8xMl5Eqt+TugNsDGdgMDTkgqQ pbQSF8xEyt/Jh6SPu+XNLU/1TUTaZLRDrxWTEKzXetLThGuYdGKlvy2gxDpUXsstEIMA +0etp11/xodsH4Rmeu+WEWmaIPnVmWAqxWOm94i1x4t+zIc9yVmDEyJEEHhoEHGz6Xhi A7cRI2vilWeY9PynVgKvXv3yoTfp6nlBMoqNkV3vABB7Z5KxavGvmp95t4qo7d90n+BG kRD6eeOGlD3nSy7GoJgf+OirKEiLScT1OVAwB/2at7c8lF/khNqdgSSHPhkABx+WgABB Ak+w==
X-Gm-Message-State: APjAAAW5vzpQjoP/qs9lVePCty+SzedgwRKb7yBaE/7anmF/XTO9p/WD vL5YUR0LSgoMuN5XgV/6JnQibDU5
X-Google-Smtp-Source: APXvYqwf7YZ5SFOKPD+9R+C6B+e05lidAXbGWf/mMgVqDvYejcn+YcXUqXZbpcRk68YXqf/NJcfMBA==
X-Received: by 2002:a50:f296:: with SMTP id f22mr8699612edm.69.1570720586812; Thu, 10 Oct 2019 08:16:26 -0700 (PDT)
Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com. [209.85.128.41]) by smtp.gmail.com with ESMTPSA id r18sm1011315edx.94.2019.10.10.08.16.26 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 10 Oct 2019 08:16:26 -0700 (PDT)
Received: by mail-wm1-f41.google.com with SMTP id 3so7210503wmi.3 for <acme@ietf.org>; Thu, 10 Oct 2019 08:16:26 -0700 (PDT)
X-Received: by 2002:a1c:2e94:: with SMTP id u142mr8295513wmu.69.1570720586275; Thu, 10 Oct 2019 08:16:26 -0700 (PDT)
MIME-Version: 1.0
References: <156688663499.2633.13348873823926960427.idtracker@ietfa.amsl.com> <0d62ec19-399c-94e7-a44a-098ccf99bc7e@gmail.com> <CAErg=HFekDDOu0SPe171NJuXpCDUkiyV7_9bQMDz1GquXPoUiA@mail.gmail.com> <3FE5BE45-EB69-429E-A4DB-7B7838DC0AFE@arm.com> <AFD56CB0-0001-4FDC-9D2B-25A127E27BB8@gmail.com>
In-Reply-To: <AFD56CB0-0001-4FDC-9D2B-25A127E27BB8@gmail.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Thu, 10 Oct 2019 11:16:15 -0400
X-Gmail-Original-Message-ID: <CAErg=HF+fH62x+28-J8dcd8NtD6svL51sg_hXnNpH-2Ea=8iCA@mail.gmail.com>
Message-ID: <CAErg=HF+fH62x+28-J8dcd8NtD6svL51sg_hXnNpH-2Ea=8iCA@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: Thomas Fossati <Thomas.Fossati@arm.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000096220505948fe209"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Z6pXaQoOTiYXrKaIR1_OSH-G5bg>
Subject: Re: [Acme] Fwd: New Version Notification for draft-ietf-acme-star-delegation-01.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Oct 2019 15:16:31 -0000
On Thu, Oct 10, 2019 at 5:22 AM Yaron Sheffer <yaronf.ietf@gmail.com> wrote: > I am wondering though about this sentence: A CA can "also offer additional > validation methods/issuance flows which also use the "dns-01" method." > Doesn't specifying "dns-01" restrict the CA to one particular > validation/authorization flow? > No. There's a gap in the assumption here, which is that the CA MUST support draft-ietf-acme-caa, which is not specified, and were it specified, runs into the set of issues covered in https://tools.ietf.org/html/draft-ietf-acme-caa-10#section-5 However, setting that aside, the dns-01 validation method alone doesn't restrict the issuance pattern to just being STAR, which is the assertion "To restrict certificate delegation only to the protocol defined here:"
- [Acme] Fwd: New Version Notification for draft-ie… Yaron Sheffer
- [Acme] FW: Fwd: New Version Notification for draf… Salz, Rich
- Re: [Acme] Fwd: New Version Notification for draf… Ryan Sleevi
- Re: [Acme] Fwd: New Version Notification for draf… Thomas Fossati
- Re: [Acme] Fwd: New Version Notification for draf… Yaron Sheffer
- Re: [Acme] Fwd: New Version Notification for draf… Ryan Sleevi
- Re: [Acme] Fwd: New Version Notification for draf… Yaron Sheffer