IETF Logo Mail Archive

Re: [Acme] DNS-ACCOUNT-01 Updates

Amir Omidi <aaomidi@google.com> Thu, 18 May 2023 21:03 UTC

Return-Path: <aaomidi@google.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09381C151081 for <acme@ietfa.amsl.com>; Thu, 18 May 2023 14:03:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.596
X-Spam-Level:
X-Spam-Status: No, score=-17.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KNQkjBLJatxB for <acme@ietfa.amsl.com>; Thu, 18 May 2023 14:03:24 -0700 (PDT)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 116FBC14CE2B for <acme@ietf.org>; Thu, 18 May 2023 14:03:24 -0700 (PDT)
Received: by mail-wr1-x433.google.com with SMTP id ffacd0b85a97d-3090d3e9c92so2450155f8f.2 for <acme@ietf.org>; Thu, 18 May 2023 14:03:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1684443802; x=1687035802; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3nT036RTPa8u6l4KXJ6KGvTCmLuxRiS1raGUxZ/5NIQ=; b=ZkaNFChXYWalSlhmQTJWDA7Tphi8nDTD5/gwlP7nGUM7Id/kvX6+mtjHP/HMoxy79l 5cdmrBLOqKlOL/0cXQYL/18j2OsUTOsHA/02IXsIGSC6yy8TEz5ZGuo6EdMq7e4I1Dy2 K2uhPe/kQMC/TVKlBgU0dUt31oDcIJsnshtGSVYslaXXbNT+hYxSseExvx4y38VlagvQ o0yP4bg/PECZ82qgnhOZnNAFzR6sxi0OctASwkY2ECUKPFimi3ErWEtx0J/iBobjnOGv GLObpUWiUEJ+ePvr1DFl6ineXl7QNQnUieccvKjFzQ+ny//aJEQ7jWJbjsCEJTiRwydE frPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684443802; x=1687035802; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3nT036RTPa8u6l4KXJ6KGvTCmLuxRiS1raGUxZ/5NIQ=; b=j3WmlakE8lLXw0rNG0vjkk8Zm8jalxmwb7uBOvfdSFA7hVf9wwd/mzwQljz4/Zf7W4 VNLJ77olMbpi9ibLa9VuHfuhd9mZ1jDKHOT3CVa/6htdWESRlVk6ornC4QKOv8SqiRsG tRLPiG5tOjGUOtCZYgbOMZ/kHfHAo8L4ojciclHEI34TJ8mvVumItyizFP9ZCLrVYbX+ I/Rnmf8LZbxPmQQgpEyFkPhX0KE8hXFcEK6cUiOvp5MsxPouaq6Yb24j+weUiRW1hykA pVQ/Kp3LJFoR5r6mFgNvHrWpR9cd7mJw8UCIJZZya3frMXSi0Sv2RIfpXbBW+sqpDwhC Z1mg==
X-Gm-Message-State: AC+VfDxQ2wZ6bT77DBIihmvpbvGFXtKWajD7q67kt/pmY0jXTUqW9Bo5 HQ426siaYBffr5cSaMAqbTH286w6jVdZIH/c3a+Zfw==
X-Google-Smtp-Source: ACHHUZ4PkWnJJLV+p/oAYT8iZlkxo/s8TjxoxnhkuZUKgEdp6Q/uvIXInJCQVP+geJwLq878C6MjVZUlDjULhnPYE1Y=
X-Received: by 2002:adf:fc47:0:b0:309:44ed:cd0d with SMTP id e7-20020adffc47000000b0030944edcd0dmr24378wrs.64.1684443802160; Thu, 18 May 2023 14:03:22 -0700 (PDT)
MIME-Version: 1.0
References: <22209596-7C4D-42F4-9415-98F106047C33@gmail.com> <CAEmnErcRPMn9SiBNHtS0-oVEXVJCR+c9eXavGXMU6NLgoakwsA@mail.gmail.com> <CAMEWqGsXZGmP2VXcEemxM9T+2+zAppY2orP6wXyW+1xCeHuviA@mail.gmail.com> <ebd953b1-ce32-02ac-f133-86586c6278e6@gmail.com>
In-Reply-To: <ebd953b1-ce32-02ac-f133-86586c6278e6@gmail.com>
From: Amir Omidi <aaomidi@google.com>
Date: Thu, 18 May 2023 17:03:10 -0400
Message-ID: <CAMh843ubkh51cXOO8PNK9OasbzKrZz4=e4h+67j5Et-hKo=k3g@mail.gmail.com>
To: Seo Suchan <tjtncks@gmail.com>
Cc: acme@ietf.org
Content-Type: multipart/alternative; boundary="00000000000079534805fbfe22b7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/ea4qMj-kjx7C0ETwHNimYz2L4aY>
Subject: Re: [Acme] DNS-ACCOUNT-01 Updates
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2023 21:03:28 -0000

I think what decision happens here will probably end up setting the
precedent on either these digits are "version numbers" of the "base
challenge types" (Not sure what to call them), and they act as a
replacement of them. Or that they are another flavor of the
technologies/protocols used in those challenges. I do not have strong
opinions here either way.

Another factor to consider is how would support/Q&A forums feel about the
name choice of DNS-ACCOUNT-01 vs DNS-02. For example, if there is anyone
here who's keeping an eye on the Let's Encrypt's community forum do you
think DNS-02 would make things easier or harder for users adopting ACME
based certificate issuance and the folks helping them out? If harder, do
you think DNS-ACCOUNT-01 would be a better option here?

On Sat, May 13, 2023 at 5:24 AM Seo Suchan <tjtncks@gmail.com> wrote:

> I kinda think TLS-SNI-02 was made as version 2 of TLS-SNI-01, but it
> doesn't matter as they are no longer a thing
> 2023-05-13 오전 3:43에 Q Misell 이(가) 쓴 글:
>
>
> I'm also in favour of calling it DNS-02. I highly doubt there will be many
> (if any) versions of challenges beyond version 1. It makes more sense to me
> to read DNS-02 and DNS challenge type 2, not a upgraded edition of version
> 1.
> ------------------------------
>
> Any statements contained in this email are personal to the author and are
> not necessarily the statements of the company unless specifically stated.
> AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace,
> Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company
> registered in Wales under № 12417574
> <https://find-and-update.company-information.service.gov.uk/company/12417574>.
> ICO register №: ZA782876 <https://ico.org.uk/ESDWebPages/Entry/ZA782876>.
> UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524.
> South Korean VAT №: 522-80-03080. Glauca Digital and the Glauca logo are
> registered trademarks in the UK, under № UK00003718474 and № UK00003718468,
> respectively.
>
>
> On Fri, 12 May 2023 at 17:58, Aaron Gable <aaron=
> 40letsencrypt.org@dmarc.ietf.org> wrote:
>
>> For what it's worth, I'm in favor of calling it DNS-02. Despite your
>> totally correct descriptions of the disadvantages of this new method, I
>> *do* still view it as a generally-improved version of DNS-01. It's
>> obviously backwards-incompatible, hence the new major version number, but
>> it is generally an improvement that creates more flexibility for clients at
>> little cost. I also find the name "DNS-ACCOUNT-01" to be slightly
>> unfortunate, as no "dns accounts" are involved -- it makes sense once you
>> understand the method, but the name gives little to no hint to how the
>> method works on its own.
>>
>> Aaron
>>
>> On Thu, May 11, 2023 at 4:52 PM Antonios Chariton <daknob.mac@gmail.com>
>> wrote:
>>
>>> Hello everyone,
>>>
>>> I’m sending this e-mail to the list to update you all on DNS-ACCOUNT-01
>>> and the news we have since the presentation in IETF 116.
>>>
>>> You can all help by reviewing the text[0], these updates, and sharing
>>> your opinion in this thread here!
>>>
>>> The CA/B Forum 2023-05-04 meeting discussed DNS-ACCOUNT-01 and three
>>> things came out of it, as it is evident in the minutes[1]:
>>>
>>> 1) This method is compatible with the CA/B Forum Baseline Requirements
>>> that are binding for all WebPKI CAs, specifically section 3.2.2.4.7 for
>>> agreed-upon change to a DNS record. This means that CAs can start using
>>> this standard immediately, and there are no other dependencies. The design
>>> seemed to be good in its current version. Obviously, quick changes to their
>>> CP/CPS may be required, but this is not blocking and unilateral.
>>>
>>> 2) There is a documented need for various usecases where this challenge
>>> would help, from several stakeholders, and evidence that it could be
>>> beneficial to the ecosystem and its development. It allows ACME to be used
>>> in even more situations where more traditional and non-automatable methods
>>> had to be relied upon.
>>>
>>> 3) There was a suggestion to rename this challenge to DNS-02. This is
>>> something that we had rejected back when we created this challenge, however
>>> it has been suggested several times, so we are happy to reconsider this. It
>>> may be the right choice.
>>>
>>> There’s no published precedence of what -02 means right now, so it’s
>>> unclear whether it is a second option, or a next generation / improved
>>> challenge. We never planned to replace DNS-01 with our challenge, we always
>>> intended to add more options, and cover more use cases. Here are some
>>> technical “disadvantages” of this work vs DNS-01:
>>>
>>> 1) ACME Clients need to calculate the correct label. Although we provide
>>> the algorithm, a bash script, and test vectors, anecdotal data from ISRG
>>> suggest that some clients still mess things up (implementing RFC 8555), so
>>> this is another value where this may happen. An easy solution here would be
>>> to share the expected label with the client, but we decided against this to
>>> protect against cross-protocol attacks, and also to protect the client
>>> against an ACME server giving it arbitrary DNS records to change. If
>>> clients calculate this independently, they don’t need to trust the server.
>>>
>>> 2) The label is longer, so some very very long domain names may no
>>> longer work. Since this is 17 characters longer than DNS-01’s label,
>>> anything approaching the various limits (of DNS, etc.) may break. For
>>> example, if in DNS-01 you end up with a 236-253 character domain name to
>>> check for the TXT record, then DNS-ACCOUNT-01 will go over the limit and
>>> won’t work. We don’t consider this to be a major problem. We’re also not
>>> aware of many domain names in the 236-253 character range.
>>>
>>> 3) If an ACME client for whatever reason loses access to the ACME
>>> account, this “set and forget” DNS label now has to change. Things would
>>> break here with other standards too (if you need an EAB token, you can’t
>>> create a new account anyways, if you limit the ACME account via CAA
>>> records, you can’t issue, etc.) but DNS-ACCOUNT-01 would just add to the
>>> things that would have to be taken into account. We don’t currently
>>> consider this a huge issue, but if you think it could be, let us know.
>>>
>>> As you can see, these 3 tradeoffs above had to be made, to ensure we can
>>> cover more use cases. We think these are good tradeoffs for an additional
>>> ACME challenge, but perhaps they are not for an “upgraded” one.
>>>
>>> What do you think about the naming? Do you perceive “DNS-02” as an
>>> improved version, or as a second option? We are happy to rename this to
>>> DNS-02 and we have no plans of breaking any ACME server or client already
>>> using DNS-01 :)
>>>
>>> Thanks for reading through this, and I am happy to hear your thoughts
>>> and get reviews on the draft, so we can move further with this work.
>>>
>>> Antonios Chariton
>>> Independent Contributor ;)
>>>
>>> - - -
>>> Links:
>>>
>>> [0] :
>>> https://archive.cabforum.org/pipermail/validation/2023-May/001892.html
>>> [1] : https://daknob.github.io/draft-todo-chariton-dns-account-01/
>>> _______________________________________________
>>> Acme mailing list
>>> Acme@ietf.org
>>> https://www.ietf.org/mailman/listinfo/acme
>>>
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
>>
>
> _______________________________________________
> Acme mailing listAcme@ietf.orghttps://www.ietf.org/mailman/listinfo/acme
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email