IETF Logo Mail Archive

Re: [Acme] DNS-ACCOUNT-01 Updates

Deb Cooley <debcooley1@gmail.com> Mon, 22 May 2023 11:33 UTC

Return-Path: <debcooley1@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30324C151B09 for <acme@ietfa.amsl.com>; Mon, 22 May 2023 04:33:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.743
X-Spam-Level:
X-Spam-Status: No, score=-6.743 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zm2VdzD8RLSe for <acme@ietfa.amsl.com>; Mon, 22 May 2023 04:33:07 -0700 (PDT)
Received: from mail-il1-x135.google.com (mail-il1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8BBEC151B04 for <acme@ietf.org>; Mon, 22 May 2023 04:33:07 -0700 (PDT)
Received: by mail-il1-x135.google.com with SMTP id e9e14a558f8ab-3319a6f989aso40901525ab.2 for <acme@ietf.org>; Mon, 22 May 2023 04:33:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684755187; x=1687347187; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=MSqM2FQtn4ZvVLyvhuQt/+zYC2Y8pJwZL1P+YDHI+qw=; b=U2EEPIPu8YmjvDoySwhPBDt2/U0fwUMYZ42MDI3DpFkoBSSB7f8DJ6sNFJmIqzWwsC tEfnNAmoRye5NhfUs6OwGgGH2vb7Or7cOl8mCWj16rFnGgrzISpF1dR4G/XDlRMEivXT K1ffUQavtNUyunqaROfKvgHyWVrwbX6WmoWj/U78CL967KbvsBJ+BSkHfB0yeqM9omk0 pihDRB/Rvm+Hhwyd5iOKrbboB+CUebAuYP1CIyBfOYMv3cD8u4st2uQjOPRPKuXdV9Ar 1R2DYXJzeZC8CMlc8zQdXgl4HbR0H65AJjgdOLCWphJONLC/KReTttIOglW+TNNHRoUo gWdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684755187; x=1687347187; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MSqM2FQtn4ZvVLyvhuQt/+zYC2Y8pJwZL1P+YDHI+qw=; b=LxwcLdcMpSEHjQB6MUwmByTYHykJjuwaAp55Kma43tLvONlmGjDa15EFXM/EMba5nC 1Q5G7vIfQWL4iN73xaeB9ii7UDa/RVQqfjXbqfSa1mbYlH91ywU7LB3zhH+AP2IYnxLq ef3+8Xf4HJFN7OgJGcjPC+BW4c4A0zSXdqNABsitS2x6jWlVEy2/QG6A4eeOKw8+koXL Obkhfc3Uw2htpUDsyiaRfWLK2X1FTTnjhvCbUzRdeR0olm7jOf/CXwv7iw5+eES+JOkY DA5+vipSNI7h6NEwq5i+L+kl7jcbPmw+YabE1AlIt1qw86mwpPYLfwK0FYzeaJDeqWx5 q+Ig==
X-Gm-Message-State: AC+VfDz5DKfPGUTgT50H2iGUs4XPcrKo97mPyzyXctEiM3HCrRq13YxC AI1FMqmdzaaUS+XO9VXEDmSFqilPhiW3+AULZggRL96AIw==
X-Google-Smtp-Source: ACHHUZ5bQijCDSd5dLohsrvdwTHgFNLHIPgNpmyEI/0yJsxpv45840Ir6gyVYG+9Zqq8+IUeXw09cPX0xfuu/1BDjMY=
X-Received: by 2002:a05:6e02:687:b0:339:f2bd:cd32 with SMTP id o7-20020a056e02068700b00339f2bdcd32mr2472551ils.11.1684755186589; Mon, 22 May 2023 04:33:06 -0700 (PDT)
MIME-Version: 1.0
References: <22209596-7C4D-42F4-9415-98F106047C33@gmail.com> <CAEmnErcRPMn9SiBNHtS0-oVEXVJCR+c9eXavGXMU6NLgoakwsA@mail.gmail.com> <CAMEWqGsXZGmP2VXcEemxM9T+2+zAppY2orP6wXyW+1xCeHuviA@mail.gmail.com> <ebd953b1-ce32-02ac-f133-86586c6278e6@gmail.com> <CAMh843ubkh51cXOO8PNK9OasbzKrZz4=e4h+67j5Et-hKo=k3g@mail.gmail.com> <MN2PR05MB6671D7B9A828AB0726B603AFA67C9@MN2PR05MB6671.namprd05.prod.outlook.com>
In-Reply-To: <MN2PR05MB6671D7B9A828AB0726B603AFA67C9@MN2PR05MB6671.namprd05.prod.outlook.com>
From: Deb Cooley <debcooley1@gmail.com>
Date: Mon, 22 May 2023 07:32:55 -0400
Message-ID: <CAGgd1OcsXP87pORuyB4SVa8KzDgZtCAf3CG09FZdkr7y943mdg@mail.gmail.com>
To: "acme@ietf.org" <acme@ietf.org>
Cc: Amir Omidi <aaomidi=40google.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006e256105fc46a275"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/dIQK6guIFh_1PNJPd6PcOHK40_k>
Subject: Re: [Acme] DNS-ACCOUNT-01 Updates
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 11:33:12 -0000

What is confusing is having a numerical value as part of the draft title.
Currently:  draft-ietf-acme-dns-account-01-01 which is only going to be
worse as the draft moves through version numbers.  My suggestion would be
to name it without the use of a numerical value.  This gets rid of both
problems.  The only question is what to actually call it.

Deb Cooley (no hats)
decoole@radium.ncsc.mil



On Fri, May 19, 2023 at 8:38 AM Sean Dilda <sean@duke.edu> wrote:

> I don't spend a lot of time on the Let's Encrypt forums, but I do maintain
> an internal ACME server and work with the IT staff that manage certs/acme
> client installs.   Most of my users are only vaguely aware that their ACME
> client creates an account as part of the process.  Given that, I suspect
> they would find the name 'DNS-ACCOUNT-01' confusing as it wouldn't be clear
> to them which account is being referred to.  They would likely assume it
> would be the account on their DNS provider.    I think 'DNS-02' as a newer
> version of the DNS challenge type would be less confusing.
> ------------------------------
> *From:* Acme <acme-bounces@ietf.org> on behalf of Amir Omidi <aaomidi=
> 40google.com@dmarc.ietf.org>
> *Sent:* Thursday, May 18, 2023 5:03 PM
> *To:* Seo Suchan <tjtncks@gmail.com>
> *Cc:* acme@ietf.org <acme@ietf.org>
> *Subject:* Re: [Acme] DNS-ACCOUNT-01 Updates
>
> I think what decision happens here will probably end up setting the
> precedent on either these digits are "version numbers" of the "base
> challenge types" (Not sure what to call them), and they act as a
> replacement of them. Or that they are another flavor of the
> technologies/protocols used in those challenges. I do not have strong
> opinions here either way.
>
> Another factor to consider is how would support/Q&A forums feel about the
> name choice of DNS-ACCOUNT-01 vs DNS-02. For example, if there is anyone
> here who's keeping an eye on the Let's Encrypt's community forum do you
> think DNS-02 would make things easier or harder for users adopting ACME
> based certificate issuance and the folks helping them out? If harder, do
> you think DNS-ACCOUNT-01 would be a better option here?
>
> On Sat, May 13, 2023 at 5:24 AM Seo Suchan <tjtncks@gmail.com> wrote:
>
> I kinda think TLS-SNI-02 was made as version 2 of TLS-SNI-01, but it
> doesn't matter as they are no longer a thing
> 2023-05-13 오전 3:43에 Q Misell 이(가) 쓴 글:
>
>
> I'm also in favour of calling it DNS-02. I highly doubt there will be many
> (if any) versions of challenges beyond version 1. It makes more sense to me
> to read DNS-02 and DNS challenge type 2, not a upgraded edition of version
> 1.
> ------------------------------
>
> Any statements contained in this email are personal to the author and are
> not necessarily the statements of the company unless specifically stated.
> AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace,
> Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company
> registered in Wales under № 12417574
> <https://urldefense.com/v3/__https://find-and-update.company-information.service.gov.uk/company/12417574__;!!OToaGQ!r1rAJU8Y16wsZhu9vZIYkTsR0gQG3x5k5iniyAWsEcG3EL1ott1SAH_t6KkJBohTGUxArlzOHToU5usEHb4eLMzA2bpN$>.
> ICO register №: ZA782876
> <https://urldefense.com/v3/__https://ico.org.uk/ESDWebPages/Entry/ZA782876__;!!OToaGQ!r1rAJU8Y16wsZhu9vZIYkTsR0gQG3x5k5iniyAWsEcG3EL1ott1SAH_t6KkJBohTGUxArlzOHToU5usEHb4eLKSmK3R2$>.
> UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524.
> South Korean VAT №: 522-80-03080. Glauca Digital and the Glauca logo are
> registered trademarks in the UK, under № UK00003718474 and № UK00003718468,
> respectively.
>
>
> On Fri, 12 May 2023 at 17:58, Aaron Gable <aaron=
> 40letsencrypt.org@dmarc.ietf.org> wrote:
>
> For what it's worth, I'm in favor of calling it DNS-02. Despite your
> totally correct descriptions of the disadvantages of this new method, I
> *do* still view it as a generally-improved version of DNS-01. It's
> obviously backwards-incompatible, hence the new major version number, but
> it is generally an improvement that creates more flexibility for clients at
> little cost. I also find the name "DNS-ACCOUNT-01" to be slightly
> unfortunate, as no "dns accounts" are involved -- it makes sense once you
> understand the method, but the name gives little to no hint to how the
> method works on its own.
>
> Aaron
>
> On Thu, May 11, 2023 at 4:52 PM Antonios Chariton <daknob.mac@gmail.com>
> wrote:
>
> Hello everyone,
>
> I’m sending this e-mail to the list to update you all on DNS-ACCOUNT-01
> and the news we have since the presentation in IETF 116.
>
> You can all help by reviewing the text[0], these updates, and sharing your
> opinion in this thread here!
>
> The CA/B Forum 2023-05-04 meeting discussed DNS-ACCOUNT-01 and three
> things came out of it, as it is evident in the minutes[1]:
>
> 1) This method is compatible with the CA/B Forum Baseline Requirements
> that are binding for all WebPKI CAs, specifically section 3.2.2.4.7 for
> agreed-upon change to a DNS record. This means that CAs can start using
> this standard immediately, and there are no other dependencies. The design
> seemed to be good in its current version. Obviously, quick changes to their
> CP/CPS may be required, but this is not blocking and unilateral.
>
> 2) There is a documented need for various usecases where this challenge
> would help, from several stakeholders, and evidence that it could be
> beneficial to the ecosystem and its development. It allows ACME to be used
> in even more situations where more traditional and non-automatable methods
> had to be relied upon.
>
> 3) There was a suggestion to rename this challenge to DNS-02. This is
> something that we had rejected back when we created this challenge, however
> it has been suggested several times, so we are happy to reconsider this. It
> may be the right choice.
>
> There’s no published precedence of what -02 means right now, so it’s
> unclear whether it is a second option, or a next generation / improved
> challenge. We never planned to replace DNS-01 with our challenge, we always
> intended to add more options, and cover more use cases. Here are some
> technical “disadvantages” of this work vs DNS-01:
>
> 1) ACME Clients need to calculate the correct label. Although we provide
> the algorithm, a bash script, and test vectors, anecdotal data from ISRG
> suggest that some clients still mess things up (implementing RFC 8555), so
> this is another value where this may happen. An easy solution here would be
> to share the expected label with the client, but we decided against this to
> protect against cross-protocol attacks, and also to protect the client
> against an ACME server giving it arbitrary DNS records to change. If
> clients calculate this independently, they don’t need to trust the server.
>
> 2) The label is longer, so some very very long domain names may no longer
> work. Since this is 17 characters longer than DNS-01’s label, anything
> approaching the various limits (of DNS, etc.) may break. For example, if in
> DNS-01 you end up with a 236-253 character domain name to check for the TXT
> record, then DNS-ACCOUNT-01 will go over the limit and won’t work. We don’t
> consider this to be a major problem. We’re also not aware of many domain
> names in the 236-253 character range.
>
> 3) If an ACME client for whatever reason loses access to the ACME account,
> this “set and forget” DNS label now has to change. Things would break here
> with other standards too (if you need an EAB token, you can’t create a new
> account anyways, if you limit the ACME account via CAA records, you can’t
> issue, etc.) but DNS-ACCOUNT-01 would just add to the things that would
> have to be taken into account. We don’t currently consider this a huge
> issue, but if you think it could be, let us know.
>
> As you can see, these 3 tradeoffs above had to be made, to ensure we can
> cover more use cases. We think these are good tradeoffs for an additional
> ACME challenge, but perhaps they are not for an “upgraded” one.
>
> What do you think about the naming? Do you perceive “DNS-02” as an
> improved version, or as a second option? We are happy to rename this to
> DNS-02 and we have no plans of breaking any ACME server or client already
> using DNS-01 :)
>
> Thanks for reading through this, and I am happy to hear your thoughts and
> get reviews on the draft, so we can move further with this work.
>
> Antonios Chariton
> Independent Contributor ;)
>
> - - -
> Links:
>
> [0] :
> https://archive.cabforum.org/pipermail/validation/2023-May/001892.html
> <https://urldefense.com/v3/__https://archive.cabforum.org/pipermail/validation/2023-May/001892.html__;!!OToaGQ!r1rAJU8Y16wsZhu9vZIYkTsR0gQG3x5k5iniyAWsEcG3EL1ott1SAH_t6KkJBohTGUxArlzOHToU5usEHb4eLJ-dXGZ7$>
> [1] : https://daknob.github.io/draft-todo-chariton-dns-account-01/
> <https://urldefense.com/v3/__https://daknob.github.io/draft-todo-chariton-dns-account-01/__;!!OToaGQ!r1rAJU8Y16wsZhu9vZIYkTsR0gQG3x5k5iniyAWsEcG3EL1ott1SAH_t6KkJBohTGUxArlzOHToU5usEHb4eLAIe3NHy$>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
> <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/acme__;!!OToaGQ!r1rAJU8Y16wsZhu9vZIYkTsR0gQG3x5k5iniyAWsEcG3EL1ott1SAH_t6KkJBohTGUxArlzOHToU5usEHb4eLIdl8lBK$>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
> <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/acme__;!!OToaGQ!r1rAJU8Y16wsZhu9vZIYkTsR0gQG3x5k5iniyAWsEcG3EL1ott1SAH_t6KkJBohTGUxArlzOHToU5usEHb4eLIdl8lBK$>
>
>
> _______________________________________________
> Acme mailing listAcme@ietf.orghttps://www.ietf.org/mailman/listinfo/acme <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/acme__;!!OToaGQ!r1rAJU8Y16wsZhu9vZIYkTsR0gQG3x5k5iniyAWsEcG3EL1ott1SAH_t6KkJBohTGUxArlzOHToU5usEHb4eLIdl8lBK$>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
> <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/acme__;!!OToaGQ!r1rAJU8Y16wsZhu9vZIYkTsR0gQG3x5k5iniyAWsEcG3EL1ott1SAH_t6KkJBohTGUxArlzOHToU5usEHb4eLIdl8lBK$>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email