IETF Logo Mail Archive

Re: [Acme] scope in dns-account-01 and dns-02 challenge

Amir Omidi <amir@aaomidi.com> Tue, 19 March 2024 01:34 UTC

Return-Path: <amir@aaomidi.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE4FCC151072 for <acme@ietfa.amsl.com>; Mon, 18 Mar 2024 18:34:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aaomidi.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OR04LbeefA1d for <acme@ietfa.amsl.com>; Mon, 18 Mar 2024 18:34:03 -0700 (PDT)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C6B2C14F6F3 for <acme@ietf.org>; Mon, 18 Mar 2024 18:34:03 -0700 (PDT)
Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-568d323e7fbso2414056a12.3 for <acme@ietf.org>; Mon, 18 Mar 2024 18:34:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aaomidi.com; s=google; t=1710812040; x=1711416840; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rRkmDXWxGKVYjJKAaaomH4pT5lXroRPHgpZxhBQtoNA=; b=a/gCB9cuNY+3jSW3VRMGJtOOLv8ot3ESdHvGloK3ulXqs6llS9eJxZVyyKM/uRH4hn yKEVs9Ls8LvCErppI1Z5p2dy727WQV5ZgkW45gLZRBP6hKhD939WKymYVp+qRV/srM5l xijJHEgS97/N6JEskzl52d9A6EsocsJRz8/8K6AvcoWdsVr31mobM2yUvesbx6u7hwbU ZZ0mo1jYRTQD1taB765Y6YOUrooeT3hVRZTzZGk6Pq/K0j5cQwFxMB+1Ipz0WaDYaenr JmN+2U0cvE2gHgYwFUpH0miH3pCZFK9Kcx2ARDfhRLESSLbOPGMCIj8eUTwTbIKbjc5x rQOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710812040; x=1711416840; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rRkmDXWxGKVYjJKAaaomH4pT5lXroRPHgpZxhBQtoNA=; b=xA7k/y7q9LxhlUBg8mLwI0GoYY64otlMIr98gXgeLBXJnbl/N5tcspIZ4chPnWN2Vn dY6QqQYFJyWLJAB8Neq+sJk1Cr7Cl44x834CUttVoU1FwHRlY2oj8riuoVfkgkb+jGSm 2ux0T4phfzgdULapqcyHE+yuujq0O1LPIrxTYbVf6zlu5i9c37iQil/Y1lsDyupX29SG Fg8BZPs3wi7TYMLGnF2Ibc8TRztwLUsBuQsuAXuGjg/D/+wne4TbZVTsvLIRrblbWOLx e1OPpwuGIaAE4q/q3vWag9HaVoodznylHfFoWdmjOD15LNr4sxLI0OkDIcec3p+8vrx+ faUg==
X-Gm-Message-State: AOJu0Yx2EJ2WCG/IhzERIK2agF4UuwyevstLg0dXPxWkFwQzsvw1SHuW Tk80FONgz4FhjYpGQkTUmmoohGdhU9ANnEOx68TwkzRdzhyQWMv/LFz3/UsB3CCXaj/oxvwPO35 +LuQSpBWlTjufmYrQ976ey/NBeqfSyJL/jWk4bA==
X-Google-Smtp-Source: AGHT+IE6E9DWBHXy6hCfc9DXrXpzvMnKAYYo3YOW7ikGGLoV7T1Iiu/E/kIZzbpp/7IKKL+ZThdryVgLi9qR/yK9+YM=
X-Received: by 2002:a17:906:4e8e:b0:a46:c1fd:9a86 with SMTP id v14-20020a1709064e8e00b00a46c1fd9a86mr2570496eju.0.1710812039995; Mon, 18 Mar 2024 18:33:59 -0700 (PDT)
MIME-Version: 1.0
References: <CAN3x4QkK6dFnoo0wfyCBf9_beuQf+Og9+EhoeYvMUbFaoGw8zw@mail.gmail.com> <7EB59D53-7CC4-4AD3-9652-56EA622D25EE@gmail.com>
In-Reply-To: <7EB59D53-7CC4-4AD3-9652-56EA622D25EE@gmail.com>
From: Amir Omidi <amir@aaomidi.com>
Date: Mon, 18 Mar 2024 21:33:48 -0400
Message-ID: <CAOG=JUKs+5J4eS3wFocP0JgSeQS0KHTgkE51JfNA=PTbYwBYAg@mail.gmail.com>
To: Seo Suchan <tjtncks@gmail.com>
Cc: acme@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ebfe370613f97760"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/ePaXyCEJxzoWVvgMjNEu9J4fvY8>
Subject: Re: [Acme] scope in dns-account-01 and dns-02 challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 01:34:07 -0000

> I think it doesn't specify how the scope for a given challenge is decided
and communicated.

Great point. My intention that I should probably clarify in the draft is
that the server picks based on the Authorization object:

   - If wildcard: true on the authorization object associated with the
   challenge, then the wildcard scope is used. (
   https://www.rfc-editor.org/rfc/rfc8555#section-7.1.4)
   - If subdomainAuthAllowed: true on the authorization object associated
   with the challenge, then the domain scope is used. (
   https://www.rfc-editor.org/rfc/rfc9444#section-4.1)
   - If none of these are present, then the host scope is used.


I guess there's an issue here where both wildcard and subdomainAuthAllowed
may be present?

Out of the options presented, I like the first and the third options here.
I also see what you mean by dropping dns-02, and just specifying three
dns-account-01 challenges.



On Mon, Mar 18, 2024 at 7:22 PM Seo Suchan <tjtncks@gmail.com> wrote:

> Would it be illegal to server probe both scope and pass if there is
> intended token?
>
>
> On 2024년 3월 19일 오전 8시 3분 7초 GMT+09:00, Jacob Hoffman-Andrews <jsha=
> 40letsencrypt.org@dmarc.ietf.org> wrote:
>
>> Thanks, authors, for the updates in
>> https://datatracker.ietf.org/doc/html/draft-ietf-acme-scoped-dns-challenges-00
>> .
>>
>> Adding a "scope" (host, wildcard, or subdomain) to the DNS record name is
>> great. Reading the draft, I think it doesn't specify how the scope for a
>> given challenge is decided and communicated. Three ideas:
>>
>> 1. Server picks, and tells the client.
>>
>> The challenge object contains a "scope" field. The client verifies that
>> the indicated scope is one of "host", "wildcard", or "subdomain", and is
>> less than the maximal scope the client is willing to validate for. For
>> instance, a client might be configured to only accept "host" scope.
>>
>> 2. Client picks.
>>
>> When the client POSTs to the challenge URL, instead of sending the empty
>> object {}, it sends {"scope": "host"}, {"scope": "wildcard"}, or {"scope":
>> "domain"}. The server verifies that the request scope is sufficient for the
>> authorization object (i.e. "wildcard" or above for an authorization object
>> that can be used to issue for a wildcard name), then performs the
>> validation.
>>
>> 3. Server offers options via challenge types
>>
>> We explode out the challenge types from two to six:
>>
>> dns-host-02
>> dns-wildcard-02
>> dns-domain-02
>> dns-account-host-01
>> dns-account-wildcard-01
>> dns-account-domain-01
>>
>> The server populates the authorization object with only those challenge
>> types that are acceptable. For instance, if the authorization object can be
>> used to issue for a wildcard name, the server would not offer dns-host-02
>> or dns-account-host-01.
>>
>> I like this option the best because it provides cleaner separation, and
>> uses the design of ACME nicely: servers offer appropriate challenges, and
>> clients pick the challenge that works best for them. Also it allows for
>> clean implementation in the BRs: they could specify by name which challenge
>> types are allowed to issue for wildcards.
>>
>> Of course, it feels messy to define so many challenge types. Perhaps we
>> could eliminate the dns-02 family? The idea being that clients and servers
>> that wish to adopt the modern best practices from
>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/,
>> they can also adopt the account-scoping features of the dns-account-01
>> family, which are not burdensome.
>>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email