IETF Logo Mail Archive

Re: [Acme] ACME subdomains

Ryan Sleevi <ryan-ietf@sleevi.com> Thu, 03 September 2020 15:24 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00FB63A0EE6 for <acme@ietfa.amsl.com>; Thu, 3 Sep 2020 08:24:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.397
X-Spam-Level:
X-Spam-Status: No, score=-1.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W9WOEYx9j2p0 for <acme@ietfa.amsl.com>; Thu, 3 Sep 2020 08:24:16 -0700 (PDT)
Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6F2C3A0F20 for <acme@ietf.org>; Thu, 3 Sep 2020 08:24:16 -0700 (PDT)
Received: by mail-pj1-f51.google.com with SMTP id np15so3876355pjb.0 for <acme@ietf.org>; Thu, 03 Sep 2020 08:24:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ko0FJ3EgUB4WZU70XI9XodwOMqP3q7uwc8lw1M58ehk=; b=CIsU+wV6H0FzAllMuaSsA8lXig9ddfVsv+DJaPeK25HNEZpokH1zCI5AnbBDEuNnDi qUeNyCKK4QqdnvmxtPEeEpzcMfBGgfIbOnRglWRZcpQaADkgbICX45nQTHB1Xb8Df18o Qb2RSNKYpvOYKc0j2aEoj+kIsUWkCw59TZ3F3gMN6aREvP97wb2uqpTuE/KMLJ/jQCll KIgC4qpQUGT5xS8ib1p2PtBgp/XtqdgIihcKZ8ILSyvSZblKVqkfmMmhz0EfJIyBonaK tjk++u/g1svbJTU0vbKO6OXGNs1BTh6fI4bu0lTza9LHde8bTrV7seFzGZq2pO0DautC vu4A==
X-Gm-Message-State: AOAM531TUyS5ovEBorhZ0qAvPmeCkIziEugZQAla/sMoGrx288eMwYfK Zmr0tg8gQnkLwhem2pZ+RSXAjiXMS7I=
X-Google-Smtp-Source: ABdhPJzRPsLlulxYzVH7JdklZtDzZ/FQy8TcXGf7eJeL0Ssa0P0H9zGNBqDuti8oaYOkVCorExWsEA==
X-Received: by 2002:a17:90a:f998:: with SMTP id cq24mr3884150pjb.9.1599146655584; Thu, 03 Sep 2020 08:24:15 -0700 (PDT)
Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com. [209.85.215.174]) by smtp.gmail.com with ESMTPSA id c7sm237702pfj.100.2020.09.03.08.24.15 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 03 Sep 2020 08:24:15 -0700 (PDT)
Received: by mail-pg1-f174.google.com with SMTP id m5so2404591pgj.9 for <acme@ietf.org>; Thu, 03 Sep 2020 08:24:15 -0700 (PDT)
X-Received: by 2002:a17:902:7c8b:: with SMTP id y11mr2000000pll.10.1599146655021; Thu, 03 Sep 2020 08:24:15 -0700 (PDT)
MIME-Version: 1.0
References: <AC488DAF-A24F-4B1A-9192-7ACD75F7EF48@felipegasper.com> <CAN3x4QmGDGGbeVXhH9NjMwSRLi97XX+di2tUAO0kNLyfCNABUA@mail.gmail.com> <CY4PR11MB16854D2F1B8E271BB8ABF7BDDB2F0@CY4PR11MB1685.namprd11.prod.outlook.com> <CAErg=HE+0WDTNVCZBnxPP_Mdh_w4LCxc0MOp6ZeMFBt_x5BncA@mail.gmail.com> <CY4PR11MB16855F30DC87D1CA85396D55DB2C0@CY4PR11MB1685.namprd11.prod.outlook.com> <028F0E45-F054-4608-92CB-F2A9255DDF24@akamai.com>
In-Reply-To: <028F0E45-F054-4608-92CB-F2A9255DDF24@akamai.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Thu, 03 Sep 2020 11:24:04 -0400
X-Gmail-Original-Message-ID: <CAErg=HG6dM4JgPWJtz+igLb==s1cx9AKzMq+LwEKLL1SVUyniA@mail.gmail.com>
Message-ID: <CAErg=HG6dM4JgPWJtz+igLb==s1cx9AKzMq+LwEKLL1SVUyniA@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: "Owen Friel (ofriel)" <ofriel=40cisco.com@dmarc.ietf.org>, Ryan Sleevi <ryan-ietf@sleevi.com>, Jacob Hoffman-Andrews <jsha@letsencrypt.org>, "acme@ietf.org" <acme@ietf.org>, Felipe Gasper <felipe@felipegasper.com>
Content-Type: multipart/alternative; boundary="00000000000050ffde05ae6a58c6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/aw7R__m9XFnMdTZsd-qDNnrn5fk>
Subject: Re: [Acme] ACME subdomains
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Sep 2020 15:24:18 -0000

On Thu, Sep 3, 2020 at 9:47 AM Salz, Rich <rsalz@akamai.com> wrote:

>
>    - I followed the patterns used in RFC8555 which consistently uses
>    example.com as the ACME server base domain and example.org as the
>    client certificate identifier base domain, but yes Ryan I did find this a
>    source of confusion too when reading ACME.
>
>
>
> Thanks for the changes.  I am also confused by example.com and example.org.
> Someone want to grab acmeserver.org and donate it?
>

That still seems problematic; registrations are fixed lifetimes.

Just use RFC 6761 https://tools.ietf.org/html/rfc6761#section-6.5

Specifically, acmeserver.example

As James points out, the use isn't really consistent with RFC 8555 in the
examples provided, and that's why it bears clarifying. However, my specific
concern was this statement:

"For flexibility, I guess if the client wants foo.bar.example.org the
protocol should also allow server choice of offering challenges for (1)
both foo.bar.example.org and  example.com (2) only the requested identifier
foo.bar.example.com or (3) only the parent domain example.com."

Which is the problematic area. I believe this is "trying" to say that the
options are:

foo.bar.example.org
bar.example.org
example.org

And all permutations/combinations of those.

Whether those go to acmeserver.com or acmeserver.example is irrelevant; the
point of clarification is what challenges can be used for the identifier.

v2.23.0 | Report a Bug | By Email