Re: [Acme] ACME subdomains

"Owen Friel (ofriel)" <ofriel@cisco.com> Wed, 02 September 2020 09:40 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12AF83A0E0E for <acme@ietfa.amsl.com>; Wed, 2 Sep 2020 02:40:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=aGkuIu1w; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=0TyDK2cn
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XFa5TBPognpN for <acme@ietfa.amsl.com>; Wed, 2 Sep 2020 02:40:28 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1D903A0F5E for <acme@ietf.org>; Wed, 2 Sep 2020 02:40:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=32458; q=dns/txt; s=iport; t=1599039627; x=1600249227; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=6B6CnOGshzZc63UH9tCcewCbHX6f/NiEKWZwg3NMHfQ=; b=aGkuIu1wfZYWgi6K0STdQlpFtuGOUhdIqVfWPxMR00SzIZxMcqd4wF4N uEfxU3Z9Be+xLWFc7T9Aw1zuxbS5N9J7zZd4uOVYBD2SHWlIqbJmFJ+QJ GQaMwU2Iz+hWlOxty3Fhqe88KvIlOAYeI9qkNHMtTKkc7XrL/TEXFfl3L Q=;
IronPort-PHdr: 9a23:chpyPhSJNXX/hEFm8hWkN/OTSNpsv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESQB9uJ7/9YkOfQuLrxQXBG5oyO4zgOc51JAhkCj8he3wktG9WMBkCzKvn2Jzc7E8JPWB4AnTm7PEFZFdy4awjUpXu/vjofBg7yMwFvN/zpXInIgJf/2+W74ZaGZQJOiXK0aq9zKxPjqwLXu4EWjIJuJ7x3xAHOpy5Dev9dwiVjIlfAkg==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CaBQBvZ09f/49dJa1gHAEBAQEBAQcBARIBAQQEAQGCCoEjL1EHcFgvLAqELoNGA412mHGCUwNVCwEBAQwBASMKAgQBAYRMAheCDAIkOBMCAwEBCwEBBQEBAQIBBgRthVwMhXIBAQEBAxIRChMBATcBDwIBCBEEAQEhCgICAjAdCAIEAQ0FCBqDBYF+TQMuAQ6kWgKBOYhhdoEygwEBAQWBMwGEBhiCEAmBOIJxg2WGUBuBQT+BEUOCTT6EJRo8glkzgi2TG4ZqJpxDCoJliGiGUIsbhDCcJpJRiHaBWINokSECBAIEBQIOAQEFgUEqI4FXcBWDJAlHFwINjh+DcYUUhUJ0AjUCBgEJAQEDCXyNCS2BBgGBEAEB
X-IronPort-AV: E=Sophos;i="5.76,381,1592870400"; d="scan'208,217";a="535747226"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 02 Sep 2020 09:40:26 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 0829eQas019703 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 2 Sep 2020 09:40:26 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 2 Sep 2020 04:40:26 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 2 Sep 2020 04:40:25 -0500
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 2 Sep 2020 05:40:25 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HURMPfEOERoQfO4p2AWytKeXVZzNOeph5/KEemTeCimNM1BHKjGjHytn8Fng4x4Exsl5q/LCn9kjmXb/YQBlkQ8MSmGoG2K2oyBExf6WujHYVisS3+KDqK/74RHWr6nUK+gXIeYJ8QFPEsdrVmuEmdpbTvi0lGxidVXzTW3xYkoQd3NihdiHRv5fSRYuVyPzIo0MtKJuFEZ2JWLtSz8e1QqncI88r5IUrx5e4bOJHJtbAJesqz95kYxBA6VEN+dbv+7jyk4XWQjAdafyuDMKIK85OSiRggnriFtRsEvQtUa8Uxe7kjw7K1gpR0TPTRo3C7pLrquWaO7WoY/k7Gpo0A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6B6CnOGshzZc63UH9tCcewCbHX6f/NiEKWZwg3NMHfQ=; b=n3dPcQzUGYwQSlk6N/FYY1q/i3c5JLRhp0XaxrgCKXqkMf0OB1yxA98aF6nVmvsyL5Op6nWHQ4k+TFq1xJO78G0nby1NQdx+c0JsyQUmGAtjUOpQfBQKCFDHM7Iw1iPi+dD7Xqo4L/EhPxFVLcBvDqbcgj3L+CISE57soUcHD53NjKm1gx7r70WgAsnz/xgiORqvsupTbGLAGYfou527h0YQOfBQHRt+3XlEkGEiv+CEmYmDwaCGwgyVnzgU48EaLpN9/XbU3hcVpv57Uy1q6gEnKfk8QtIZxyQJ7FHUIG45X6BTkO9pYc+j04rC48mmfOzR7LZMqPe6TVag9IlvrQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6B6CnOGshzZc63UH9tCcewCbHX6f/NiEKWZwg3NMHfQ=; b=0TyDK2cnj5mCAaJoCILtg7OQN7ORmVIo/bKr0fYhYHPz1wkUKRBhTGDNPbBiCoI4mExiizODn5WOTOSIMUsxqVesWfU+5xZc8Vw5j8XRXoQcUH3tbCOldthZVQwLt2lkkOmRHiu7BzAnnZBnR4peBUbcLHGp3TdFgEv7T5EUC3Y=
Received: from CY4PR11MB1685.namprd11.prod.outlook.com (2603:10b6:903:22::23) by CY4PR1101MB2216.namprd11.prod.outlook.com (2603:10b6:910:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3326.19; Wed, 2 Sep 2020 09:40:24 +0000
Received: from CY4PR11MB1685.namprd11.prod.outlook.com ([fe80::acba:ff73:21ab:6c5d]) by CY4PR11MB1685.namprd11.prod.outlook.com ([fe80::acba:ff73:21ab:6c5d%3]) with mapi id 15.20.3326.025; Wed, 2 Sep 2020 09:40:24 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Jacob Hoffman-Andrews <jsha@letsencrypt.org>, Felipe Gasper <felipe@felipegasper.com>
CC: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] ACME subdomains
Thread-Index: AQHWarjBjwSE29GuLUOCVs6lLUQppKkonzQAgCyVmzA=
Date: Wed, 02 Sep 2020 09:40:23 +0000
Message-ID: <CY4PR11MB16854D2F1B8E271BB8ABF7BDDB2F0@CY4PR11MB1685.namprd11.prod.outlook.com>
References: <AC488DAF-A24F-4B1A-9192-7ACD75F7EF48@felipegasper.com> <CAN3x4QmGDGGbeVXhH9NjMwSRLi97XX+di2tUAO0kNLyfCNABUA@mail.gmail.com>
In-Reply-To: <CAN3x4QmGDGGbeVXhH9NjMwSRLi97XX+di2tUAO0kNLyfCNABUA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: letsencrypt.org; dkim=none (message not signed) header.d=none;letsencrypt.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.39.121.92]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 628663c8-4fca-411a-f19e-08d84f24377c
x-ms-traffictypediagnostic: CY4PR1101MB2216:
x-microsoft-antispam-prvs: <CY4PR1101MB2216B7D82610A934F472F8DADB2F0@CY4PR1101MB2216.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AOFSzf11Ea7a3Vk8xTk1vDGWrsV5WflnxsB6/YAPrmKwjyRz6V38PGiqgQZGiB/OVjDzKlRnVQ7qGf7w3aV8tTN62xPJR4oE3qMJ89ehYn++GC+dOCjheEPMEv7KOh+Vk+aN/PX1kJqF4u/F17c/OYTG90RlZtWfgqPpys615nyEKGIj3rYr/yckuHJTMfSAPCdSOyGhFk2CJEReFhP3Hw+hCcpdnRiYXPqZp/SJ87tsjA5ywA7DsUImdrULhP7Cfta5H76MIqHT3rjZrDlmEW6dsKr7E/k72ijxuG+6oaL7bOyO1GZoH9GrSPNkBDmkfp/can/RaPLkFfmz1dnKobH4forbauibknwS1p42j1mOMtMIvtXuLJeLelICAJ0b/9sJv4xeFXwELQS+60sgsbYtUA5zZLJBWW8fKcSMmLgtb+ma3SnkgohVUoP6XoILBcLfJAUdwxrGYxqOcCSHDA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR11MB1685.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(366004)(396003)(136003)(376002)(39860400002)(7696005)(76116006)(6506007)(8936002)(64756008)(4326008)(2906002)(83380400001)(26005)(66946007)(166002)(66476007)(478600001)(53546011)(66446008)(110136005)(9686003)(316002)(86362001)(66556008)(71200400001)(33656002)(5660300002)(52536014)(186003)(55016002)(8676002)(336705003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: HQC3LHUuKp9ZgaJwtT9IarxaNZDg/8TDCh07lJbLdldU59Mgk98czvBz8BNk66bFtII8DeU/NlcGdH+SQe64X0ml9tn0UTpjDWt0UUBKdJzlC9PKR/JnWQdCH4UPI8jXtuN+cs26Pw4DAhHg9MLZxqHp/YJW88qxL2eCEXqRsWJHPYsx3Ekq4Xt1eDcPlqyAyqDPCK+5vdcnoHqr6C8AkqH/6oT05BjcFVy+jQYeOzX2dOjfby49KwtUcKL/j1nzNIAycQGEOr1JxuGUrtgZG93ynY2iYAY+ShkqbQh8+TGdS2iOUDgHpxE7PJccwqzrh9Qjw7YdsasEOv8yjs74ck4FeonaNNjHrCG6pvdO9S1EUBzhuoJRNe+bkjiW+yEsGJCr4GZlfKZLEwh8DNlzMR87ZFiHCv7MTrt0BLh1YQ74cWYynV7ubzSRGZ1jnnSj8IpynY6SCqXSULI7QH7thdSJ+fv1JAzP51kBVoVL/IWOtlbo27bC0kEebspkE54uSlMkQWJvkBoy0kFnhEyd+8NqWlQv2Hz0apYGTh3Q+W2PLraLmnAo6YCe0cQQPTsTmbvuNMYE2sYrA9XCnpTGom1ScNea5HRaFlSFuD4FdQ+Mcdhutv8WnYuwO4la7nC7FdP2pG1SGvPJrYwerMhZAQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CY4PR11MB16854D2F1B8E271BB8ABF7BDDB2F0CY4PR11MB1685namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY4PR11MB1685.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 628663c8-4fca-411a-f19e-08d84f24377c
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Sep 2020 09:40:24.0147 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UY4AwDiWeAAHo5UKwHmU3cwI6Jvm/kDdgUmVcV8HJgd8sxDyF7tMUa9oIpnD/vXPs6rB/vg5s4dfdf1thttxQQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1101MB2216
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/bvs-yZMYlmnEmmdoFKRo8HHfBoA>
Subject: Re: [Acme] ACME subdomains
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2020 09:40:30 -0000

Thanks Felipe, Jacob, we had not really considered the use case where the server would offer challenges for both foo.bar.example.org<http://foo.bar.example.com> and example.org<http://example.com> and the client could choose which to fulfil.

We assumed (maybe naively) that the server would only offer the Base Domain Name challenge (using the CA/B Baseline defn. of the Base Domain Name), and also wanted to minimise changes to the protocol and JSON objects.

For flexibility, I guess if the client wants foo.bar.example.org<http://foo.bar.example.com> the protocol should also allow server choice of offering challenges for (1) both foo.bar.example.org<http://foo.bar.example.com> and  example.com<http://example.com> (2) only the requested identifier foo.bar.example.com<http://foo.bar.example.com> or (3) only the parent domain example.com<http://example.com>.

I was talking through this with Richard, and there are a few choices for how to enhance the authorizations object to allow this. If the server only wants to offer one challenge, then that’s straight forward. It includes whatever identifier it picks (subdomain or parent) in the authorization object. If it wants to include both, here are a few options:

Both option 1. Your suggestion. I think we need new challenges types for the parent for each of the supported challenge types e.g. http-parent-01 and dns-parent-01.

~~~
   {
     "status": "pending",
     "expires": "2015-03-01T14:09:07.99Z",

     "identifier": {
       "type": "dns",
       "value": "foo.bar.example.org"
     },

     "challenges": [
       {
         "url": "https://example.com/acme/chall/prV_B7yEyA4",
         "type": "http-01",
         "status": "pending",
         "token": "DGyRejmCefe7v4NfDGDKfA",
       },
       {
         "url": "https://example.com/acme/chall/prV_B7yEyA4",
         "type": "http-parent-01",
         "parent-identifier":"example.org",
         "status": "pending",
         "token": "DGyRejmCefe7v4NfDGDKfA",
       },
       {
         "url": "https://example.com/acme/chall/prV_B7yEyA4",
         "type": "dns-parent-01",
         "parent-identifier":"example.org",
         "status": "pending",
         "token": "DGyRejmCefe7v4NfDGDKfA",
       }
     ],
   }
~~~

Both option 2. The challenge for the parent domain is of a new type that contains a set of nested challenges of existing types.

~~~
   {
     "status": "pending",
     "expires": "2015-03-01T14:09:07.99Z",

     "identifier": {
       "type": "dns",
       "value": "foo.bar.example.org"
     },

     "challenges": [
       {
         "url": "https://example.com/acme/chall/prV_B7yEyA4",
         "type": "http-01",
         "status": "pending",
         "token": "DGyRejmCefe7v4NfDGDKfA",
       },
       {
         "url": "https://example.com/acme/chall/PAniVnsZcis",
         "type": related-identifier",
         "status": "pending",
          "related-identifier":"example.org",
          "challenges":[
                   {
               "url": "https://example.com/acme/chall/prV_B7yEyA4",
               "type": "http-01",
               "status": "pending",
               "token": "DGyRejmCefe7v4NfDGDKfA",
               },
               {
               "url": "https://example.com/acme/chall/prV_B7yEyA4",
               "type": "dns-01",
               "status": "pending",
               "token": "DGyRejmCefe7v4NfDGDKfA",
             },
         ]
       }
     ]
   }
~~~

Both option 3. A new challenge type that points to another new authorization object. This can be standard authorization obejct that includes http-01, dns-01 challenges for the parent. It may make sense to also include the parent domain in this new challenge, even though it will be in the 2nd authorization.

~~~
   {
     "status": "pending",
     "expires": "2015-03-01T14:09:07.99Z",

     "identifier": {
       "type": "dns",
       "value": "foo.bar.example.org"
     },

     "challenges": [
       {
         "url": "https://example.com/acme/chall/prV_B7yEyA4",
         "type": "http-01",
         "status": "valid",
         "token": "DGyRejmCefe7v4NfDGDKfA",
         "validated": "2014-12-01T12:05:58.16Z"
       },
       {
         "url": "https://example.com/acme/chall/PAniVnsZcis",
         "type": related-identifier",
         "related-identifier":"example.org",
         "related-authorization":"uri"
         "status": "pending"
       }
     ],
   }
~~~

Of all the above, option 3 arguably keeps the client implementation and logic as close to base ACME as possible.



From: Acme <acme-bounces@ietf.org> On Behalf Of Jacob Hoffman-Andrews
Sent: 05 August 2020 07:53
To: Felipe Gasper <felipe@felipegasper.com>
Cc: acme@ietf.org
Subject: Re: [Acme] ACME subdomains

I haven't followed the "ACME for subdomains" conversation closely, but the base semantics of ACME are designed such that they can express "all of" semantics AND "one of" semantics. For a given Order, a client has to fulfil all the Authorizations; for a given Authorization, a client has to fulfil one of the Challenges.

To take advantage of this, you would need to define a new challenge type that expresses validating a parent domain. For instance "dns-parent-01." It would contain the name of the parent domain as a field.

If a server has the policy that validating control of either foo.bar.example.com<http://foo.bar.example.com> or example.com<http://example.com> is sufficient to issue for foo.bar.example.com<http://foo.bar.example.com>, it would respond to newOrder requests for foo.bar.example.com<http://foo.bar.example.com> by creating an Order with one Authorization (for foo.bar.example.com<http://foo.bar.example.com>), and that Order would have two Challenges: "dns-01" and "dns-parent-01" (with a parent domain of "example.com<http://example.com>"). The client could then choose which challenge to attempt.