Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)

"Owen Friel (ofriel)" <ofriel@cisco.com> Tue, 28 January 2020 21:50 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE09B1200F3 for <acme@ietfa.amsl.com>; Tue, 28 Jan 2020 13:50:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=jU/n8ksM; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=URFSRv2f
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ngrRbHxYjD6 for <acme@ietfa.amsl.com>; Tue, 28 Jan 2020 13:50:33 -0800 (PST)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 646D1120018 for <acme@ietf.org>; Tue, 28 Jan 2020 13:50:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2636; q=dns/txt; s=iport; t=1580248233; x=1581457833; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=LvCucV6iEv4dHIF8S4JzI/vyrTfu9Z+DdzzT4tIIlzM=; b=jU/n8ksMDs0ySdH+4G3ipaujQvAmxzrpGsIE6odZjCQRm0+PQe82yhfB mewk0XcOtH53SvPs0dPSrZzdO0xmOhGutvpK3ff4XEPCURNrsgMSKpf4Z OSeFUg0p+XUm9DxwGw2sEeZf1QpkVqDmqopgFbVvqG9KlhtcPxwYy/5tO c=;
IronPort-PHdr: =?us-ascii?q?9a23=3AqTllUxZ4oFEu+QWPpF0aFVz/LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el20Q6bRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn?= =?us-ascii?q?1NksAKh0olCc+BB1f8KavtYTY7EcBqX15+9Hb9Ok9QS47z?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DcAQDqqzBe/5hdJa1lGwEBAQEBAQE?= =?us-ascii?q?FAQEBEQEBAwMBAQGBe4FUUAVsWCAECyoKhAqDRgOLFYJfmA+CUgNUCQEBAQw?= =?us-ascii?q?BASMKAgEBhEACF4IPJDgTAgMNAQEEAQEBAgEFBG2FNwyFXgEBAQEDEgsGEQw?= =?us-ascii?q?BATcBCwQCAQgRBAEBAQICHwcCAgIwFQgIAgQOBQgagwWCSgMuAQIMonkCgTm?= =?us-ascii?q?IYnWBMoJ/AQEFhRUYggwJgQ4qjB4agUE/gRFHgh4uPoJkAQECAYFKGIMOMoI?= =?us-ascii?q?skFWfBwqCOYdChUSJTIJIeJc8kCqHGpIpAgQCBAUCDgEBBYFpIoFYcBWDJwl?= =?us-ascii?q?HGA2OHTiDO4UUhT90AoEni3sBgQ8BAQ?=
X-IronPort-AV: E=Sophos;i="5.70,375,1574121600"; d="scan'208";a="416656183"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 28 Jan 2020 21:50:32 +0000
Received: from XCH-ALN-010.cisco.com (xch-aln-010.cisco.com [173.36.7.20]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 00SLoWfJ014501 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 28 Jan 2020 21:50:32 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-ALN-010.cisco.com (173.36.7.20) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 28 Jan 2020 15:50:32 -0600
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 28 Jan 2020 15:50:31 -0600
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 28 Jan 2020 16:50:31 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PRzxsKnwVU0wk1hfL9q5NqKvAWUwM/7skqE/xebcwd8fMc9+BPwwBpkr4ICs5aJqnI+oOHY2vYYIvRkDjKi8rIdWU1tOEs7e+gE13merZ8z4I8vHbksujuG+QGnMPbuVfQBRsHLrRIfPFbKcZsVHB3eibtdimEiM3hQU9J4zv6KnZRkSL/iQvh/IVGOaiWAn0YMm9x51XzXgWZHGiNm1bGte0RX2SpQ5psjvpGFljbGAW0phq/odaHzQLldjXFLyNxsj67+Kq+xqUmqQu+xciwLcHoS0eHHW+l75Gs6wg0RZfq/dTP5WLUtz6h4k6TOi2e3UfljVQ0djiTqL4i9HFQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LvCucV6iEv4dHIF8S4JzI/vyrTfu9Z+DdzzT4tIIlzM=; b=UatgF51fQ5mzrUe62csDr/uxQEiJ498wWfIA2b8XOqYcd9YSU79/1Wg3y3EUw763ztDQNsnsLW9qY37ozXkeujk4HkM3FGwUob8nvu0cX+BVsRjUJmnnKj/cRbx+Mwflvf9OW/SrONbTC1d276sHXvHTINI96uQ5W73yN6OMhBDWvoLKae+ZkX0D0X8G7G+6PfiglertBMOFdd5WnW6nqDC8zqGyxuvtWZ0e0r7MJ4yN4bcuwU7I5MLs6E4T5vexWY+hzUbAZJKT4Z2Ha0QXX4WF1XUyXn84/+KMizaVqiUhA6sk5Jt8ZdX7htrgFZ4ZjqZupMYkFbUUYc7HB4AcwQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LvCucV6iEv4dHIF8S4JzI/vyrTfu9Z+DdzzT4tIIlzM=; b=URFSRv2f+OKafELWnHw7cwiQjLbz1DPvi8/BHUdJjt1wQg/aeFhE17fYKF/hfaVbJI7zqYaZFI32+/R7A/O+94hnUWjmZxwymdAnrMRkEyLLVHwZuJNjtfdlpkw0SyBx1Y1dIukHcuL7LqfRMqivDXJUM23gGcI0/z4Vl/mxWPM=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (20.179.150.76) by MN2PR11MB4448.namprd11.prod.outlook.com (52.135.39.157) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2665.24; Tue, 28 Jan 2020 21:50:30 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::d1b8:3e63:ead8:10c9]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::d1b8:3e63:ead8:10c9%7]) with mapi id 15.20.2665.026; Tue, 28 Jan 2020 21:50:30 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Felipe Gasper <felipe@felipegasper.com>
CC: IETF ACME <acme@ietf.org>
Thread-Topic: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)
Thread-Index: AQHVz4eQxUsnt/Joaku87BnKLfeybafzfB0AgAGL5FCAAB9NAIALgWUQ
Date: Tue, 28 Jan 2020 21:50:30 +0000
Message-ID: <MN2PR11MB39016F60B67ED4D91A23F776DB0A0@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <MN2PR11MB3901512A25A395E684808FFBDB5F0@MN2PR11MB3901.namprd11.prod.outlook.com> <MN2PR11MB3901D33CB72236ECF7BA437ADB320@MN2PR11MB3901.namprd11.prod.outlook.com> <B5F428E5-D08E-4EE6-9807-B51395F58643@felipegasper.com> <MN2PR11MB3901CDCC1358EEF12169EE1DDB0D0@MN2PR11MB3901.namprd11.prod.outlook.com> <F65ED1C3-096C-4E06-B255-C3EDC8BCC954@felipegasper.com>
In-Reply-To: <F65ED1C3-096C-4E06-B255-C3EDC8BCC954@felipegasper.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [173.38.220.33]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 32caf502-6cc7-4521-86e9-08d7a43c1828
x-ms-traffictypediagnostic: MN2PR11MB4448:
x-microsoft-antispam-prvs: <MN2PR11MB44486D696621AC83533FD06DDB0A0@MN2PR11MB4448.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5797;
x-forefront-prvs: 029651C7A1
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(376002)(346002)(366004)(136003)(396003)(199004)(189003)(33656002)(5660300002)(81166006)(81156014)(8676002)(8936002)(86362001)(66946007)(966005)(186003)(76116006)(478600001)(66476007)(66446008)(64756008)(55016002)(9686003)(26005)(7696005)(6916009)(66556008)(52536014)(6506007)(53546011)(71200400001)(316002)(4326008)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4448; H:MN2PR11MB3901.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9gRzDvnFbAXvWsIsRaoasrFeLiCJiAX1sgqQFjUExlJRuGtFP3mvkZHRT/at6rz0pEP6qpR+xdVpjec2Fz179GjrZsrUNPMRHIOpilQNqqHgO25c0cGtau7OFyG9UrI6NZzFKdRO5d54goxENVrvgiulbfORQTImo/QY7Y99+oSEnQNIXitmC6J+TSgNkJFdtkURpCR+se1P4l6+Rbaz/GqyZkXtBvkOAh+z7uLINmgkG2eEQTqX2ctbLqLRyoetVyEzeVaGBHbqtJanBVzyIVZCvKAdtxdwCJpUSsgjxCkfQx0FXG2kNTW/JsaAY0BELs0wOzCR6tDJZhjdmiE22yUzLu6tnMPUSX8dgn+EkuOwR6npwhTTV1GkWbKUlZXR8tzalRaJTOSog4Mpe+4p7w7vI4HyxDobbWrxQ3lEjHVLXX25rJ4PP/z/eWXXtjk9K5FnQvsh69UANz7dBGgNtX//broLA7r0H4wRO06dT/o=
x-ms-exchange-antispam-messagedata: MqNKFXzuZm9VTLfTVjAMCoOYhO+rYwROg0GpZcOF5gYh+JWkt2KnYHRv28Bkec1D+5/6/F1YjDmughCUrdSdFVJVKMV7mcIVfAmaepE+mp8PfmMioL++levCClmdNJnij1gVUaD+G0u2PcMRRhO3Zg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 32caf502-6cc7-4521-86e9-08d7a43c1828
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jan 2020 21:50:30.5557 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RL/rDzjCQYRAOlFicXt77uVS0ZfHagM52X5NEuAvf2vvR6QJdTp3/xKwl+v2tHdGTZve/Ro2HVXqX0+TAI61mA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4448
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.20, xch-aln-010.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/ft3cQyCcQFgRIzQRE4oAsAoJ3BY>
Subject: Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 21:50:36 -0000


> -----Original Message-----
> From: Felipe Gasper <felipe@felipegasper.com>
> Sent: 21 January 2020 14:01
> To: Owen Friel (ofriel) <ofriel@cisco.com>
> Cc: IETF ACME <acme@ietf.org>
> Subject: Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call
> for adoption draft-frield-acme-subdomains)
> 
> 
> > On Jan 21, 2020, at 7:13 AM, Owen Friel (ofriel) <ofriel@cisco.com> wrote:
> >
> >>
> >> Will this document eventually also describe subdomain authz via the
> >> standard ACME workflow?
> >>
> >> <snip>
> >
> > [ofriel] That’s the exact workflow that the document is attempting to
> describe, so maybe it needs to be clarified.
> > The example section https://tools.ietf.org/html/draft-friel-acme-subdomains-
> 01#section-4.2 (and I realise now looking at it that I messed up the numbered
> steps - they are all '1') outlines a client authorizing for "example.com" and
> getting certs for "sub0.example.com", "sub1.example.com" and
> "sub2.example.com". If its not clear, I can try reword in an update.
> 
> Your document seems to confine itself to the pre-authorization workflow,
> though (as per section 4’s 2nd paragraph, anyhow); I’m thinking applicability to
> 8555’s default/standard/order-then-authz workflow.

[ofriel] Confining to pre-authorization certainly isn’t the intention, and I can clarify this.

https://tools.ietf.org/html/draft-friel-acme-subdomains-01#section-4.1 states:

" If a server has such a policy and a client is not authorized for the
   parent domain then:
...
   o  If the client submits a newOrder request for a subdomain: The
      server MUST return a status 201 (Created) response.  The response
      body is an order object with status set to "pending" and links to
      newly created authorizations objects against the parent domain." 

So some of the text explicitly allows this. I will refactor.

> 
> -FG