Re: [Acme] A single failed challenge should not invalidate an entire order

Kas <kas@lightc.com> Tue, 18 August 2020 21:10 UTC

Return-Path: <kas@lightc.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 134953A0CB0 for <acme@ietfa.amsl.com>; Tue, 18 Aug 2020 14:10:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.048
X-Spam-Level:
X-Spam-Status: No, score=-3.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.949, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lightc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cej4c7uAMxbY for <acme@ietfa.amsl.com>; Tue, 18 Aug 2020 14:10:16 -0700 (PDT)
Received: from mail.lightc.com (mail.lightc.com [51.38.25.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1CEF3A0C94 for <acme@ietf.org>; Tue, 18 Aug 2020 14:10:15 -0700 (PDT)
dkim-signature: v=1; a=rsa-sha256; d=lightc.com; s=rsakey; c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:Content-Transfer-Encoding:In-Reply-To:References; bh=Zgthxo7SFdUG0ycNJFBOBjeGmp4XEcagJaPjiQ94dH8=; b=ok3YTI33xn1+mnyDzv5b5rGjMXLPuLYkoaW6OHcKMJZ1dy4gTiY0Fb/z7O9cN72S1IXOGQLUVizaSme6hCdICUgOpCTOCx8QXUjgG6EEfV2OPqL0enzuUx8oYx7k32smF70zdbD9RkfDk7LVuwcN9o0f0T+KITu2rkf6hOKnq6Ivnf/TDxPVD+sBnY8+w0jqV1PkfKDMt7E9i2A8rtaSyAlyK4C0JRsfY+QHIKPVib3cfdZgAue+YyCXpM U/vdamsir7D/S0zGCC9bhJQujKJdAoua5u/1KCI1BXxOfM/EQmK0aDhz2HguTzSkxBKEAKuXxxyd0p5BXoEMtSB1emUA==
Received: from [192.168.1.50] (Unknown [46.149.55.2]) by mail.lightc.com with ESMTPSA (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128) ; Wed, 19 Aug 2020 00:09:55 +0300
To: Matt Holt <matt@lightcodelabs.com>, "acme@ietf.org" <acme@ietf.org>
References: <17403370784.10c140257139874.6544499691253662216@lightcodelabs.com>
From: Kas <kas@lightc.com>
Message-ID: <bfb7113d-576f-9787-7bde-5f137fd18122@lightc.com>
Date: Wed, 19 Aug 2020 00:09:44 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <17403370784.10c140257139874.6544499691253662216@lightcodelabs.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/eP8XuBiJSq_mB7WUiSLL7gyo8Ss>
Subject: Re: [Acme] A single failed challenge should not invalidate an entire order
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 21:10:17 -0000


On 8/18/2020 11:16 PM, Matt Holt wrote:
> I propose that RFC 8555 §7.5.1 be revised to say, "The server is said to "finalize" the authorization when it has successfully completed one of the challenges or failed all of them."

I join my voice to Matt's, but I have slightly different proposal:
There is Sender Policy Framework (SPF) which works just fine as it for 
emails, a similar mechanism is my proposal, where DNS TXT record will 
declare and establish an ACME policy, what acme challenges should be the 
minimum acceptable by the ACME service to authorize, also it will define 
the maximum needed to authorize.

Like the ability to declare what challenges is supported by the client 
(as a list or an array), and what is the minimum challenges must be 
passed, here for this minimum passed a simple number may be like 2, 
means two of the three supported challenges must be passed, also it can 
have a challenge(s) as a must, server must be guided by this rule as 
long that policy exist at the time of validation, and in absence of such 
policy it will act as currently does.