Re: [Acme] scope in dns-account-01 and dns-02 challenge
Amir Omidi <amir@aaomidi.com> Tue, 19 March 2024 01:34 UTC
Return-Path: <amir@aaomidi.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE4FCC151072 for <acme@ietfa.amsl.com>; Mon, 18 Mar 2024 18:34:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aaomidi.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OR04LbeefA1d for <acme@ietfa.amsl.com>; Mon, 18 Mar 2024 18:34:03 -0700 (PDT)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C6B2C14F6F3 for <acme@ietf.org>; Mon, 18 Mar 2024 18:34:03 -0700 (PDT)
Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-568d323e7fbso2414056a12.3 for <acme@ietf.org>; Mon, 18 Mar 2024 18:34:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aaomidi.com; s=google; t=1710812040; x=1711416840; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rRkmDXWxGKVYjJKAaaomH4pT5lXroRPHgpZxhBQtoNA=; b=a/gCB9cuNY+3jSW3VRMGJtOOLv8ot3ESdHvGloK3ulXqs6llS9eJxZVyyKM/uRH4hn yKEVs9Ls8LvCErppI1Z5p2dy727WQV5ZgkW45gLZRBP6hKhD939WKymYVp+qRV/srM5l xijJHEgS97/N6JEskzl52d9A6EsocsJRz8/8K6AvcoWdsVr31mobM2yUvesbx6u7hwbU ZZ0mo1jYRTQD1taB765Y6YOUrooeT3hVRZTzZGk6Pq/K0j5cQwFxMB+1Ipz0WaDYaenr JmN+2U0cvE2gHgYwFUpH0miH3pCZFK9Kcx2ARDfhRLESSLbOPGMCIj8eUTwTbIKbjc5x rQOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710812040; x=1711416840; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rRkmDXWxGKVYjJKAaaomH4pT5lXroRPHgpZxhBQtoNA=; b=xA7k/y7q9LxhlUBg8mLwI0GoYY64otlMIr98gXgeLBXJnbl/N5tcspIZ4chPnWN2Vn dY6QqQYFJyWLJAB8Neq+sJk1Cr7Cl44x834CUttVoU1FwHRlY2oj8riuoVfkgkb+jGSm 2ux0T4phfzgdULapqcyHE+yuujq0O1LPIrxTYbVf6zlu5i9c37iQil/Y1lsDyupX29SG Fg8BZPs3wi7TYMLGnF2Ibc8TRztwLUsBuQsuAXuGjg/D/+wne4TbZVTsvLIRrblbWOLx e1OPpwuGIaAE4q/q3vWag9HaVoodznylHfFoWdmjOD15LNr4sxLI0OkDIcec3p+8vrx+ faUg==
X-Gm-Message-State: AOJu0Yx2EJ2WCG/IhzERIK2agF4UuwyevstLg0dXPxWkFwQzsvw1SHuW Tk80FONgz4FhjYpGQkTUmmoohGdhU9ANnEOx68TwkzRdzhyQWMv/LFz3/UsB3CCXaj/oxvwPO35 +LuQSpBWlTjufmYrQ976ey/NBeqfSyJL/jWk4bA==
X-Google-Smtp-Source: AGHT+IE6E9DWBHXy6hCfc9DXrXpzvMnKAYYo3YOW7ikGGLoV7T1Iiu/E/kIZzbpp/7IKKL+ZThdryVgLi9qR/yK9+YM=
X-Received: by 2002:a17:906:4e8e:b0:a46:c1fd:9a86 with SMTP id v14-20020a1709064e8e00b00a46c1fd9a86mr2570496eju.0.1710812039995; Mon, 18 Mar 2024 18:33:59 -0700 (PDT)
MIME-Version: 1.0
References: <CAN3x4QkK6dFnoo0wfyCBf9_beuQf+Og9+EhoeYvMUbFaoGw8zw@mail.gmail.com> <7EB59D53-7CC4-4AD3-9652-56EA622D25EE@gmail.com>
In-Reply-To: <7EB59D53-7CC4-4AD3-9652-56EA622D25EE@gmail.com>
From: Amir Omidi <amir@aaomidi.com>
Date: Mon, 18 Mar 2024 21:33:48 -0400
Message-ID: <CAOG=JUKs+5J4eS3wFocP0JgSeQS0KHTgkE51JfNA=PTbYwBYAg@mail.gmail.com>
To: Seo Suchan <tjtncks@gmail.com>
Cc: acme@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ebfe370613f97760"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/ePaXyCEJxzoWVvgMjNEu9J4fvY8>
Subject: Re: [Acme] scope in dns-account-01 and dns-02 challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 01:34:07 -0000
> I think it doesn't specify how the scope for a given challenge is decided and communicated. Great point. My intention that I should probably clarify in the draft is that the server picks based on the Authorization object: - If wildcard: true on the authorization object associated with the challenge, then the wildcard scope is used. ( https://www.rfc-editor.org/rfc/rfc8555#section-7.1.4) - If subdomainAuthAllowed: true on the authorization object associated with the challenge, then the domain scope is used. ( https://www.rfc-editor.org/rfc/rfc9444#section-4.1) - If none of these are present, then the host scope is used. I guess there's an issue here where both wildcard and subdomainAuthAllowed may be present? Out of the options presented, I like the first and the third options here. I also see what you mean by dropping dns-02, and just specifying three dns-account-01 challenges. On Mon, Mar 18, 2024 at 7:22 PM Seo Suchan <tjtncks@gmail.com> wrote: > Would it be illegal to server probe both scope and pass if there is > intended token? > > > On 2024년 3월 19일 오전 8시 3분 7초 GMT+09:00, Jacob Hoffman-Andrews <jsha= > 40letsencrypt.org@dmarc.ietf.org> wrote: > >> Thanks, authors, for the updates in >> https://datatracker.ietf.org/doc/html/draft-ietf-acme-scoped-dns-challenges-00 >> . >> >> Adding a "scope" (host, wildcard, or subdomain) to the DNS record name is >> great. Reading the draft, I think it doesn't specify how the scope for a >> given challenge is decided and communicated. Three ideas: >> >> 1. Server picks, and tells the client. >> >> The challenge object contains a "scope" field. The client verifies that >> the indicated scope is one of "host", "wildcard", or "subdomain", and is >> less than the maximal scope the client is willing to validate for. For >> instance, a client might be configured to only accept "host" scope. >> >> 2. Client picks. >> >> When the client POSTs to the challenge URL, instead of sending the empty >> object {}, it sends {"scope": "host"}, {"scope": "wildcard"}, or {"scope": >> "domain"}. The server verifies that the request scope is sufficient for the >> authorization object (i.e. "wildcard" or above for an authorization object >> that can be used to issue for a wildcard name), then performs the >> validation. >> >> 3. Server offers options via challenge types >> >> We explode out the challenge types from two to six: >> >> dns-host-02 >> dns-wildcard-02 >> dns-domain-02 >> dns-account-host-01 >> dns-account-wildcard-01 >> dns-account-domain-01 >> >> The server populates the authorization object with only those challenge >> types that are acceptable. For instance, if the authorization object can be >> used to issue for a wildcard name, the server would not offer dns-host-02 >> or dns-account-host-01. >> >> I like this option the best because it provides cleaner separation, and >> uses the design of ACME nicely: servers offer appropriate challenges, and >> clients pick the challenge that works best for them. Also it allows for >> clean implementation in the BRs: they could specify by name which challenge >> types are allowed to issue for wildcards. >> >> Of course, it feels messy to define so many challenge types. Perhaps we >> could eliminate the dns-02 family? The idea being that clients and servers >> that wish to adopt the modern best practices from >> https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/, >> they can also adopt the account-scoping features of the dns-account-01 >> family, which are not burdensome. >> > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Seo Suchan
- [Acme] scope in dns-account-01 and dns-02 challen… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara