Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)

Felipe Gasper <felipe@felipegasper.com> Tue, 21 January 2020 14:14 UTC

Return-Path: <felipe@felipegasper.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2014C12010F for <acme@ietfa.amsl.com>; Tue, 21 Jan 2020 06:14:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=felipegasper.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7QB2V0tDsm5p for <acme@ietfa.amsl.com>; Tue, 21 Jan 2020 06:14:50 -0800 (PST)
Received: from web1.siteocity.com (web1.siteocity.com [67.227.147.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7251C120090 for <acme@ietf.org>; Tue, 21 Jan 2020 06:14:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=felipegasper.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=nUsPx04HJRPLE0bRQHiY+LVWL46r5E8WARpBiEZym7Q=; b=lSeu2haD6/pp0vA8xgZZ8vf+G Fa+lvMVqVo9ZDjayAoVXRmEICSOF2nDMDhmURgh4Ai4fqF1lAnSJWA4Omp7uXJEF57/kryMP6c12i tW1KoBgpLtleL2HJqCWTuLWgfC39EfzsBBSWp8ugS2UY4akk7q/M5lQRcMB5GFH9+c8MEmhMx+AJ5 t9Ndx0/nfmRO4y4JHr+nYfLbtBQSg/VxqwsBWvTIzuDMt9bh1EZ/QJ/69tJbkTl1Y3L+NAVK/cYKM ZuoDfFB72OryQh6+EK555TovRvzsxuzYnBzTdIrSAebjJ1l08PVx/xK0VUVU7rHOXZjz2uoDR2mXn /goH0aOlA==;
Received: from hou-2.nat.cptxoffice.net ([184.94.197.2]:40026 helo=[10.3.5.95]) by web1.siteocity.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <felipe@felipegasper.com>) id 1ituIp-00E6Oe-KI; Tue, 21 Jan 2020 08:14:48 -0600
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Felipe Gasper <felipe@felipegasper.com>
In-Reply-To: <CAErg=HH+CzVuXL8GTDF9S64ZcCmQU3wrBVrp528NPEj56fUbSg@mail.gmail.com>
Date: Tue, 21 Jan 2020 09:14:46 -0500
Cc: "Owen Friel (ofriel)" <ofriel@cisco.com>, IETF ACME <acme@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4F215F28-9499-4256-816A-FE764379C6B3@felipegasper.com>
References: <MN2PR11MB3901512A25A395E684808FFBDB5F0@MN2PR11MB3901.namprd11.prod.outlook.com> <MN2PR11MB3901D33CB72236ECF7BA437ADB320@MN2PR11MB3901.namprd11.prod.outlook.com> <B5F428E5-D08E-4EE6-9807-B51395F58643@felipegasper.com> <MN2PR11MB3901CDCC1358EEF12169EE1DDB0D0@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HH+CzVuXL8GTDF9S64ZcCmQU3wrBVrp528NPEj56fUbSg@mail.gmail.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - web1.siteocity.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - felipegasper.com
X-Get-Message-Sender-Via: web1.siteocity.com: authenticated_id: fgasper/from_h
X-Authenticated-Sender: web1.siteocity.com: felipe@felipegasper.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/fEIE2f6Tt2kqCDFoCCzj4Dnwf1Q>
Subject: Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2020 14:14:55 -0000

> On Jan 21, 2020, at 8:04 AM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
> 
> On Tue, Jan 21, 2020 at 7:14 AM Owen Friel (ofriel) <ofriel@cisco.com> wrote:
> > Also, the linked document states:
> > 
> >    The call flow illustrates the DNS-based proof of ownership mechanism,
> >    but the subdomain workflow is equally valid for HTTP based proof of
> >    ownership.
> > 
> > Can’t I have HTTP access to a base domain’s website without having access to a
> > subdomain’s, though? I thought that was the reason why ACME limits wildcard
> > authz to DNS.
> 
> [ofriel] Daniel has clarified this already. Its a Lets Encrypt, not an ACME limitation.
> 
> Although the CA/Browser Forum / Browser Stores have repeatedly discussed forbidding it. That is, allowing the HTTP and TLS methods of validation to only be scoped for the host in question (and potentially the service in question, if we can work out the safe SRVName transition, due to the interaction of nameConstraints and policy)
> 
> Would it be simpler to remove the statement from the draft, rather than try to clarify equally valid refers to the technology without commenting on the policy?

For what my opinion is worth, that seems reasonable--though perhaps the best might be to defer explicitly to the CA/B guidelines, e.g., “whatever validation methods CA/B allows for subdomains/wildcards, this also allows.”

-F