IETF Logo Mail Archive

Re: [Acme] draft-ietf-acme-subdomains and public suffixes

Ryan Sleevi <ryan-ietf@sleevi.com> Tue, 17 May 2022 13:14 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D76F7C159498 for <acme@ietfa.amsl.com>; Tue, 17 May 2022 06:14:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.402
X-Spam-Level:
X-Spam-Status: No, score=-1.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CC6-UKm6wI9F for <acme@ietfa.amsl.com>; Tue, 17 May 2022 06:14:33 -0700 (PDT)
Received: from mail-vk1-f171.google.com (mail-vk1-f171.google.com [209.85.221.171]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EB12C157B50 for <acme@ietf.org>; Tue, 17 May 2022 06:14:33 -0700 (PDT)
Received: by mail-vk1-f171.google.com with SMTP id e144so8995517vke.9 for <acme@ietf.org>; Tue, 17 May 2022 06:14:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FEPEbwHqeIn+h3aVwOTwTORJBjY3r45Zxtr5Z8lSKBk=; b=npKTPwCjzYAki9lT9ZmUUDjwlxqUZKyD7GEKywBO2PxyJT7D2W5nKPSzfmY0AMf5fi P7005EkMnhkl0olGpUjGPiG/vkeX3Kk2jatuljWL1EozPrEyCt8100yPoYDi2EQ3sZaX L7WF40umAu5UCIj1AHpit2LNyd1mqPUmySPfxd6FIf9G6wdTzxAeifLmWzPqUNI2nTTs k4ajzYBq9BEDEGJq2cli/FIkAg0Rm5c1p38NNj6VG1iBkXTQHICK1VaXRV424blbIrXC GkjKGjEKZriQDbZUDk+AbTDS2uJf5DV27HvyGOngDTXPlcnjPeQOucaG5Vsp5LxWLvoG MMlQ==
X-Gm-Message-State: AOAM530nTV91IgeMkq46rviXpbGZ9GRqqKASPKYek5Ch8n8Qp3EdK2mQ p87yBxVCpxP0Ktp2SgyOrM4pOkchG0Q=
X-Google-Smtp-Source: ABdhPJwglMFhdYAjj9YJvl4kZX6OYPZCS+5DERw4b3XZkVu1f0lyLhcBjuuKnQ4MULMNA+LtxVbIng==
X-Received: by 2002:a1f:a7d5:0:b0:34e:4447:6309 with SMTP id q204-20020a1fa7d5000000b0034e44476309mr8795091vke.38.1652793270983; Tue, 17 May 2022 06:14:30 -0700 (PDT)
Received: from mail-vs1-f43.google.com (mail-vs1-f43.google.com. [209.85.217.43]) by smtp.gmail.com with ESMTPSA id k10-20020a056102116a00b0032d275e6909sm1224567vsg.9.2022.05.17.06.14.30 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 17 May 2022 06:14:30 -0700 (PDT)
Received: by mail-vs1-f43.google.com with SMTP id z144so18586521vsz.13 for <acme@ietf.org>; Tue, 17 May 2022 06:14:30 -0700 (PDT)
X-Received: by 2002:a05:6102:e96:b0:32d:3ecd:36f3 with SMTP id l22-20020a0561020e9600b0032d3ecd36f3mr8299015vst.71.1652793269891; Tue, 17 May 2022 06:14:29 -0700 (PDT)
MIME-Version: 1.0
References: <99e7080c-8bf3-86ad-65a3-05eb18992632@desec.io> <CAErg=HEzWf+j31D+ko9c0kVkdmRTY5sK8F5UwCmBM+qH=Cgnfg@mail.gmail.com> <0bc0e8e6-5314-4190-88b1-31839dbc3cf9@desec.io>
In-Reply-To: <0bc0e8e6-5314-4190-88b1-31839dbc3cf9@desec.io>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Tue, 17 May 2022 09:14:19 -0400
X-Gmail-Original-Message-ID: <CAErg=HG8djqewjZFUgV9w1ptkOT5yPaYmO-2W7-3qkmPw+gNNw@mail.gmail.com>
Message-ID: <CAErg=HG8djqewjZFUgV9w1ptkOT5yPaYmO-2W7-3qkmPw+gNNw@mail.gmail.com>
To: Peter Thomassen <peter@desec.io>
Cc: IETF ACME <acme@ietf.org>, Ryan Sleevi <ryan-ietf@sleevi.com>
Content-Type: multipart/alternative; boundary="000000000000bd373705df34ebb8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/bLeHgcYYFzrBA7ftxWgRh4qLTgc>
Subject: Re: [Acme] draft-ietf-acme-subdomains and public suffixes
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2022 13:14:37 -0000

On Mon, May 16, 2022 at 7:47 AM Peter Thomassen <peter@desec.io> wrote:

> FWIW, the notion is already codified in RFC 7489 (Section 3.2) and RFC
> 9091 (in the title, albeit experimental).


Yes, doubly unfortunate, as the DBOUND WG can attest ;)

Sure. However, if the relevant part of the DNS space is, at the time of
> certificate issuance, separated into different realms of authority (e.g.,
> as indicated by a PSL entry),


NB: the PSL does not indicate this separation of authority. This is an
example of the problem DBOUND was tackling, in which different use cases
and needs were projected onto the PSL, but not necessarily what the PSL
reflected.

> The requirement of public suffix separation is _primarily_ a holdover
> from when every validation method was treated equally by CAs (e.g. the use
> of HTTP to approve a wildcard domain, without demonstrating DNS-based
> control). With the new separations that restrict such broadening,
>
> Which?


The Baseline Requirements, and the limits on what methods are suitable to
authorize an Authorization Domain Name and Wildcard. The methods, and their
limitations, are discussed in 3.2.2.4

However, this is all policy, and arguably out of scope here. Even the PSL
reflects a policy-based approach, due to the many versions of such lists,
either chronological from a single source or, quite commonly, local policy
based modifications and adjustments. So there’s no value to be derived in
referencing, if only because it’s an unstable and subjective base to begin
with.

v2.23.0 | Report a Bug | By Email