Re: [Acme] acme subdomains open items
Ryan Sleevi <ryan-ietf@sleevi.com> Wed, 09 December 2020 19:50 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5D3C3A1141 for <acme@ietfa.amsl.com>; Wed, 9 Dec 2020 11:50:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.419
X-Spam-Level:
X-Spam-Status: No, score=-1.419 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r4eP6rhnsrX9 for <acme@ietfa.amsl.com>; Wed, 9 Dec 2020 11:50:43 -0800 (PST)
Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E073C3A10D8 for <acme@ietf.org>; Wed, 9 Dec 2020 11:50:43 -0800 (PST)
Received: by mail-pf1-f173.google.com with SMTP id d2so1746086pfq.5 for <acme@ietf.org>; Wed, 09 Dec 2020 11:50:43 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XY1u1mFG91NocUo6VP68I7mcolNgrvvZHetY+gWo6kk=; b=FRznZJXGCcTEPgEeJzMrS8BANtARJzdyxvIb7da0j+Ik/sQcFDNJimtMjFrVpOsjhy Y2aEPVla+solP6BUC2obkNsaHAyiZ/2/5i03tOFbCq/HFTzAitcCvyaQ2xLtbHnF/e0/ mN0jQ0asscw53j93nJ+oGNs+WETmmBUbvGKzZ1DQYU8kpDY/clhZK38XQM09KUOUtc+9 1z5wHYt84h2X2s5DnjYaGezmKoTg3PUO2YWLRxgqDzZ1Ls04LyNI20JGM5xtcnPu5ReY jE1L9qVVCtRfcstW98+am7m8SyI4GxV1cQTJHnfcCqKGPsHBzIgWo/Fw/EavrACbwbcZ WGbg==
X-Gm-Message-State: AOAM533iN4D/z3nKypOPIyhDiAwB+BpFrA0ivOdZDDtJ+RWaEdcErFvr +z1xjrf/9XQCNB7O6TM66UWdQsFxS+s=
X-Google-Smtp-Source: ABdhPJzHmPW3yzRuBpPXusjFIWedz4vlm0rdfaYvAGVhBQVgVOWq5KrkIyexWpqlxMjnvUUUUQotfw==
X-Received: by 2002:a62:e30c:0:b029:19d:932b:a1e2 with SMTP id g12-20020a62e30c0000b029019d932ba1e2mr3432123pfh.78.1607543443102; Wed, 09 Dec 2020 11:50:43 -0800 (PST)
Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com. [209.85.210.170]) by smtp.gmail.com with ESMTPSA id y14sm3596707pfo.142.2020.12.09.11.50.42 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 09 Dec 2020 11:50:42 -0800 (PST)
Received: by mail-pf1-f170.google.com with SMTP id w6so1756268pfu.1 for <acme@ietf.org>; Wed, 09 Dec 2020 11:50:42 -0800 (PST)
X-Received: by 2002:a63:171b:: with SMTP id x27mr3449727pgl.70.1607543442472; Wed, 09 Dec 2020 11:50:42 -0800 (PST)
MIME-Version: 1.0
References: <CY4PR11MB168504F6D4CF495E8AE8F729DBF10@CY4PR11MB1685.namprd11.prod.outlook.com> <CA7603D9-DFDA-4FA6-A76C-D4E0E638A956@felipegasper.com> <CY4PR11MB16851AD65ACF736CE6FD55A8DBF10@CY4PR11MB1685.namprd11.prod.outlook.com> <CAErg=HEON6756+_3Lfbe=r=3rxV9gAundvG5mBEEOzsKqL8x3w@mail.gmail.com> <CY4PR11MB168593FCC8F11DF836FD12EADBCE0@CY4PR11MB1685.namprd11.prod.outlook.com> <CAErg=HHxbhbZQAdf2SRjFVUezmkGcg+OdeZL_ey0AwubxkSVSA@mail.gmail.com> <16962.1607347826@localhost> <CAErg=HGM5bmm=oJ1ya8gC3EiW8KQJTq2N3fxisDsgSPYKd=DbQ@mail.gmail.com> <2310.1607463183@localhost> <CAErg=HHOjdYAzCvx4vKkPAAMyEzJYqR_E-Ns=_a9pqeD8ny4eA@mail.gmail.com> <29885.1607476438@localhost>
In-Reply-To: <29885.1607476438@localhost>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Wed, 09 Dec 2020 14:50:31 -0500
X-Gmail-Original-Message-ID: <CAErg=HEPyUr6y6LFfo3KcgF=JS1BuTsFkVNJEB_zkP1tQZ4BCg@mail.gmail.com>
Message-ID: <CAErg=HEPyUr6y6LFfo3KcgF=JS1BuTsFkVNJEB_zkP1tQZ4BCg@mail.gmail.com>
To: Michael Richardson <mcr@sandelman.ca>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, "Owen Friel (ofriel)" <ofriel@cisco.com>, Felipe Gasper <felipe@felipegasper.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d9870205b60d5fdf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/guJ7Ay4C1viN0Zz3P1sMo1oMmJU>
Subject: Re: [Acme] acme subdomains open items
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2020 19:50:46 -0000
On Tue, Dec 8, 2020 at 8:14 PM Michael Richardson <mcr@sandelman.ca> wrote: > > Alas, I'm equally at a loss to understand what you're asking here, > as I > > can't make much sense of your question? > > dns-01 challenges for bar.bar.foo.example do not have to show control over > foo.example. > Yet, you seem to think that they do. > Thanks for being clear! To respond: No, I don't. I'm highlighting that for a requested identifier of "baz.bar.foo.example", the CA is permitted to challenge for "bar.foo.example" or "foo.example". Indeed, some CAs, by default, will *only* challenge for "foo.example", despite that being a parent of the requested domain, because they want to reduce the effort involved to issue other certificates to that user. Now, I never said a CA "has" to, but it's certainly true that a number of CAs do, in fact, require this as their standard operating procedure, and my understanding is that this proposal was specifically about enabling such cases within ACME. That is, more generally, making a clear and well-lit path where the domain used in the authorization does not match the domain in the certificate. Is that an unreasonable understanding? It seems directly supported in the text of the draft, Section 5.4, https://tools.ietf.org/html/draft-friel-acme-subdomains-03#section-5.4 , example 1. > > >> The client does not demonstrate control over lex.example using > dns-01 when > >> it > >> asks for so.me.comp.lex.example. > > > Is that not literally what this draft is proposing (e.g. > > > https://tools.ietf.org/html/draft-friel-acme-subdomains-03#section-5.2 ) ? > > It demonstrates control (during the authorization) for lex.example, which > allows it to fullfil orders for so.me.comp.lex.example. > > Your line of questioning implies you think the reverse. > 5.2 clearly shows authorization for example.org, followed by an order for > sub.example.com I am again at a loss for what you mean here / what you are attributing to me. Equally, I'm hoping that the "example.org" / "sub.example.com", as I cannot make any sense of what you said otherwise. As to your statement about me thinking the reverse, I'm hoping you can perhaps rephrase the following paragraph in Section 5.1: It may make sense to use the ACME pre-authorization flow for the subdomain use case, **however, that is an operator implementation and deployment decision.** With the ACME pre-authorization flow, the client could pre-authorize for the parent domain once, and then issue multiple newOrder requests for certificates for multiple subdomains. With the section in emphasis (**), it seems clear that this draft is not prescriptive as to whether the example in Section 5.2 (the "pre-authorization flow") needs to be required. To try to be clearer, since it seems you and I may be talking past each other and have been for some time, I'm considering the following flow: - POST /newOrder "so.me.comp.lex.example" Where the server needs to determine the appropriate set of authorizations to return for this case and the set of challenges within those authorizations. Again, this seems directly supported by Section 5.4 of the draft, https://tools.ietf.org/html/draft-friel-acme-subdomains-03#section-5.4 , example 1. > > In the pre-auth flow, the client affirmatively requests > "lex.example" (In > > the illustration here, "example.org"), in order to authorize > > "so.me.comp.lex.example" (in the illustration here, "sub.example.org > "). > > That is, the client explicitly declares their naming scope. > > > However, in the pre-auth flow, you have to know that the client will > want > > to be able to /newOrder for "sub.example.org" (as Step 2 in the > > illustration), since you shouldn't return http-01 authorizations in > Step 1 > > for this case. > > how are http-01 authorizations involved? > The client asks for dns-01 authorizations. Can you point me to the text in the draft you're using to support this statement? As far as I can tell, there's nothing in the draft to indicate that the client asks for dns-01 authorizations. Further, there's nothing as far as I can tell that prohibits, restricts, or even allows a CA to indicate that an http-01 authorization would not be allowed.
- [Acme] acme subdomains open items Owen Friel (ofriel)
- Re: [Acme] acme subdomains open items Felipe Gasper
- Re: [Acme] acme subdomains open items Owen Friel (ofriel)
- Re: [Acme] acme subdomains open items Ryan Sleevi
- Re: [Acme] acme subdomains open items Owen Friel (ofriel)
- Re: [Acme] acme subdomains open items Ryan Sleevi
- Re: [Acme] acme subdomains open items Michael Richardson
- Re: [Acme] acme subdomains open items Ryan Sleevi
- Re: [Acme] acme subdomains open items Michael Richardson
- Re: [Acme] acme subdomains open items Ryan Sleevi
- Re: [Acme] acme subdomains open items Michael Richardson
- Re: [Acme] acme subdomains open items Ryan Sleevi
- Re: [Acme] acme subdomains open items Owen Friel (ofriel)
- Re: [Acme] acme subdomains open items Michael Richardson
- [Acme] should acme-subdomains support http-01 cha… Michael Richardson
- Re: [Acme] should acme-subdomains support http-01… Ryan Sleevi