IETF Logo Mail Archive

Re: [Acme] Optional "Wildcard" authorization field

Richard Barnes <rlb@ipv.sx> Fri, 02 March 2018 22:22 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 122261250B8 for <acme@ietfa.amsl.com>; Fri, 2 Mar 2018 14:22:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RNe7pX9X0KQN for <acme@ietfa.amsl.com>; Fri, 2 Mar 2018 14:22:28 -0800 (PST)
Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6369B12DFE0 for <acme@ietf.org>; Fri, 2 Mar 2018 14:22:22 -0800 (PST)
Received: by mail-wm0-x231.google.com with SMTP id z81so5773626wmb.4 for <acme@ietf.org>; Fri, 02 Mar 2018 14:22:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=HEL36ZyeunvqMzI4v3ntF38713TQpm7rfwgl8Bayg3M=; b=A8i8cpmQluR+CWQMe9fzrzAXlLVu5w+b4BvI+HroHB/7rj+xBnPxxdNNvlw1SHviPS rNQcpVdWBECm1K/MKI/4f/nv3bAG/BVJEVMKYQbOJKmOUZB3kml25HklOGM3OFP1aJdl 58gcimaCSd//ekjWcwMsAcLD84UPcpOuQV70ilHeD/aJ4aM3ZTaYwrVe5336/CCx1TRS PGTsq40c0nIkmWALZP8bcklDOkSb4GXPSr8m+7IQ6e9KL79fEuRLV7mgpriuwtRwBVwZ R89sG6+tDCFna/sScQ/pT0lahE2xfW11sfv5B8tgtoRsbQiKWvtoAfQeG3LihYdmqwyl ZkHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=HEL36ZyeunvqMzI4v3ntF38713TQpm7rfwgl8Bayg3M=; b=r3JpjhJ4qJnFu05PYJBS9bl4+Ti8DKPFXeezIOPWzTU8vdDYFcbqF9fi9Qap+2f8Vq YezjnQ4aoxDonGzL6NgmfC481a55OseyHCiL1UmtCLg0AsuxGnAwjnXLg88l0O44ft0/ IhwMKuH8WNbZrZBJOBA0oALBwqXfr8zPKRQgg+hLmsFwSPxf0YZEJ3AFIqBiURM68A81 iXHTX7Y3qrgFIO4MtoamQrFEBR+2CNqCo+KYZR8DQZQ5wcF/cL1cofFuir0mzpZoXbYx PvaeDWp8Fntonxen8yfSfM0fsCqluqCn/aVF8aRw1U7p9sywAgs3DasX6CAWKYQHMXBs kjVg==
X-Gm-Message-State: AElRT7GSIXGH4nZnyEUy1V7suR2+naQnwu4rl6KfBJRl5EPVNPL6OXHV 45AC4981OyrSd8xaqAr0mD2BvWQy0j5iHF8IoOrqnui4
X-Google-Smtp-Source: AG47ELubE6kTHtrTS6Nms0djMAM4f1PwYIMZYd5dlbE9Ecv7dx8sKQEpCNLwxtPdTodiuaqsGSAl0CHh8AtGSpH+g14=
X-Received: by 10.28.222.3 with SMTP id v3mr2453767wmg.25.1520029340765; Fri, 02 Mar 2018 14:22:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.12.140 with HTTP; Fri, 2 Mar 2018 14:22:20 -0800 (PST)
In-Reply-To: <CAKnbcLgbviD_-2bsXUuZfsg+2gQCtieXkj0wHRFk8ovUNGEBtw@mail.gmail.com>
References: <CAKnbcLjuVPZa5P2FZa_cKAGmk1dP6ezrv3AgWSp9KK5HCzxPbg@mail.gmail.com> <CAL02cgQwZzKXvPsWr=tAbB-bi2s-gw3+TtJwkawHoEEb=6MiFw@mail.gmail.com> <CAKnbcLiQdjaPN32j8WOo5vhvfoTvHPYZj5pictb47ZTWvmJXYA@mail.gmail.com> <09d9ab58-2b1b-5515-8313-128705e86437@hemio.de> <CAKnbcLgbviD_-2bsXUuZfsg+2gQCtieXkj0wHRFk8ovUNGEBtw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 02 Mar 2018 17:22:20 -0500
Message-ID: <CAL02cgQcZvdLGcNMG710E3YDv21G9zPTBnH4y4btMK9zF7MsbA@mail.gmail.com>
To: Daniel McCarney <cpu@letsencrypt.org>
Cc: Sophie Herold <sophie_herold@hemio.de>, IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="001a114a5f14e79cde05667568d9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/eysPBaV4wYwskp4ucvORs3FtDQc>
Subject: Re: [Acme] Optional "Wildcard" authorization field
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Mar 2018 22:22:30 -0000

This is seeming like a lot of work for a pretty minor use case.

I would propose we stick with a simpler solution here.  While Sophie's
solution does seem more general, in the interest of getting the spec
shipped, I would propose we just add the boolean flag and write an
extension spec if a more general solution is needed.

--Richard


On Fri, Mar 2, 2018 at 4:58 PM, Daniel McCarney <cpu@letsencrypt.org> wrote:

> This sounds like you want to provide the order identifiers that
>> triggered this authorization within the authorization object?
>
>
> Generally speaking yes.
>
> In principle, several order identifiers could lead to a single
>> authorization I guess?
>>
>
> I think in principle that's true. ACME doesn't prescribe that there be a
> single authorization per-identifier. Perhaps Wildcards are just the most
> immediate case of there being a disconnect between the order identifiers
> and the authorizations. I was thinking only of identifier value but you're
> right that there may be a disconnect in the quantity of order
> authorizations compared to requested identifiers.
>
> It would be helpful if a CA with intentions to implement an issuance
> policy that differs from "n order identifiers, n authorizations" would
> speak up. I'm partial to the optional bool field because its very simple.
> Your proposal is more robust but also a bigger change and I'd like to know
> someone in the real world will benefit from the work involved :-)
>
> - Daniel / cpu
>
>
> On Fri, Mar 2, 2018 at 3:46 PM, Sophie Herold <sophie_herold@hemio.de>
> wrote:
>
>> On 02/03/18 18:32, Daniel McCarney wrote:
>> > Richard: That's up to the client and the situation. In the linked
>> Certbot
>> > issues there were questions about error output/UX. In this case if the
>> > client saw an error attached to an authorization with the identifier `{
>> > "type": "dns", "value": "example.com"}` and the authorization had
>> > `wildcard: true` the client could say "Failed to authorize *.
>> example.com:
>> > blah blah blah" or otherwise use the knowledge to inform their actions
>> > (whatever they may be).
>>
>> This sounds like you want to provide the order identifiers that
>> triggered this authorization within the authorization object?
>>
>> I think, in general it is just a guess that exmaple.com + wildcard means
>> that the order contains *.example.com. This depends on which
>> authorizations are created for which order identifiers, which is not
>> specified by acme.
>>
>> In principle, several order identifiers could lead to a single
>> authorization I guess? For example, if sub1.example.org and
>> sub2.example.org lead to just an example.org authorization. Therefore
>> "orderIdentifiers", as I call it here, needs to be a list:
>>
>>    {
>>      "status": "valid",
>>      "expires": "2015-03-01T14:09:00Z",
>>
>>      "identifier": {
>>        "type": "dns",
>>        "value": "example.org"
>>      },
>>
>>      "orderIdentifiers": [
>>        {
>>          "type": "dns",
>>          "value": "*.example.org"
>>        }
>>      ],
>>
>>      "challenges": [
>>      …
>>
>> Best,
>> Sophie
>>
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
>>
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>
>

v2.23.0 | Report a Bug | By Email