IETF Logo Mail Archive

Re: [Acme] acme subdomains open items

Ryan Sleevi <ryan-ietf@sleevi.com> Wed, 09 December 2020 19:50 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5D3C3A1141 for <acme@ietfa.amsl.com>; Wed, 9 Dec 2020 11:50:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.419
X-Spam-Level:
X-Spam-Status: No, score=-1.419 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r4eP6rhnsrX9 for <acme@ietfa.amsl.com>; Wed, 9 Dec 2020 11:50:43 -0800 (PST)
Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E073C3A10D8 for <acme@ietf.org>; Wed, 9 Dec 2020 11:50:43 -0800 (PST)
Received: by mail-pf1-f173.google.com with SMTP id d2so1746086pfq.5 for <acme@ietf.org>; Wed, 09 Dec 2020 11:50:43 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XY1u1mFG91NocUo6VP68I7mcolNgrvvZHetY+gWo6kk=; b=FRznZJXGCcTEPgEeJzMrS8BANtARJzdyxvIb7da0j+Ik/sQcFDNJimtMjFrVpOsjhy Y2aEPVla+solP6BUC2obkNsaHAyiZ/2/5i03tOFbCq/HFTzAitcCvyaQ2xLtbHnF/e0/ mN0jQ0asscw53j93nJ+oGNs+WETmmBUbvGKzZ1DQYU8kpDY/clhZK38XQM09KUOUtc+9 1z5wHYt84h2X2s5DnjYaGezmKoTg3PUO2YWLRxgqDzZ1Ls04LyNI20JGM5xtcnPu5ReY jE1L9qVVCtRfcstW98+am7m8SyI4GxV1cQTJHnfcCqKGPsHBzIgWo/Fw/EavrACbwbcZ WGbg==
X-Gm-Message-State: AOAM533iN4D/z3nKypOPIyhDiAwB+BpFrA0ivOdZDDtJ+RWaEdcErFvr +z1xjrf/9XQCNB7O6TM66UWdQsFxS+s=
X-Google-Smtp-Source: ABdhPJzHmPW3yzRuBpPXusjFIWedz4vlm0rdfaYvAGVhBQVgVOWq5KrkIyexWpqlxMjnvUUUUQotfw==
X-Received: by 2002:a62:e30c:0:b029:19d:932b:a1e2 with SMTP id g12-20020a62e30c0000b029019d932ba1e2mr3432123pfh.78.1607543443102; Wed, 09 Dec 2020 11:50:43 -0800 (PST)
Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com. [209.85.210.170]) by smtp.gmail.com with ESMTPSA id y14sm3596707pfo.142.2020.12.09.11.50.42 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 09 Dec 2020 11:50:42 -0800 (PST)
Received: by mail-pf1-f170.google.com with SMTP id w6so1756268pfu.1 for <acme@ietf.org>; Wed, 09 Dec 2020 11:50:42 -0800 (PST)
X-Received: by 2002:a63:171b:: with SMTP id x27mr3449727pgl.70.1607543442472; Wed, 09 Dec 2020 11:50:42 -0800 (PST)
MIME-Version: 1.0
References: <CY4PR11MB168504F6D4CF495E8AE8F729DBF10@CY4PR11MB1685.namprd11.prod.outlook.com> <CA7603D9-DFDA-4FA6-A76C-D4E0E638A956@felipegasper.com> <CY4PR11MB16851AD65ACF736CE6FD55A8DBF10@CY4PR11MB1685.namprd11.prod.outlook.com> <CAErg=HEON6756+_3Lfbe=r=3rxV9gAundvG5mBEEOzsKqL8x3w@mail.gmail.com> <CY4PR11MB168593FCC8F11DF836FD12EADBCE0@CY4PR11MB1685.namprd11.prod.outlook.com> <CAErg=HHxbhbZQAdf2SRjFVUezmkGcg+OdeZL_ey0AwubxkSVSA@mail.gmail.com> <16962.1607347826@localhost> <CAErg=HGM5bmm=oJ1ya8gC3EiW8KQJTq2N3fxisDsgSPYKd=DbQ@mail.gmail.com> <2310.1607463183@localhost> <CAErg=HHOjdYAzCvx4vKkPAAMyEzJYqR_E-Ns=_a9pqeD8ny4eA@mail.gmail.com> <29885.1607476438@localhost>
In-Reply-To: <29885.1607476438@localhost>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Wed, 09 Dec 2020 14:50:31 -0500
X-Gmail-Original-Message-ID: <CAErg=HEPyUr6y6LFfo3KcgF=JS1BuTsFkVNJEB_zkP1tQZ4BCg@mail.gmail.com>
Message-ID: <CAErg=HEPyUr6y6LFfo3KcgF=JS1BuTsFkVNJEB_zkP1tQZ4BCg@mail.gmail.com>
To: Michael Richardson <mcr@sandelman.ca>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, "Owen Friel (ofriel)" <ofriel@cisco.com>, Felipe Gasper <felipe@felipegasper.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d9870205b60d5fdf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/guJ7Ay4C1viN0Zz3P1sMo1oMmJU>
Subject: Re: [Acme] acme subdomains open items
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2020 19:50:46 -0000

On Tue, Dec 8, 2020 at 8:14 PM Michael Richardson <mcr@sandelman.ca> wrote:

>     > Alas, I'm equally at a loss to understand what you're asking here,
> as I
>     > can't make much sense of your question?
>
> dns-01 challenges for bar.bar.foo.example do not have to show control over
> foo.example.
> Yet, you seem to think that they do.
>

Thanks for being clear!

To respond: No, I don't.

I'm highlighting that for a requested identifier of "baz.bar.foo.example",
the CA is permitted to challenge for "bar.foo.example" or "foo.example".
Indeed, some CAs, by default, will *only* challenge for "foo.example",
despite that being a parent of the requested domain, because they want to
reduce the effort involved to issue other certificates to that user.

Now, I never said a CA "has" to, but it's certainly true that a number of
CAs do, in fact, require this as their standard operating procedure, and my
understanding is that this proposal was specifically about enabling such
cases within ACME. That is, more generally, making a clear and well-lit
path where the domain used in the authorization does not match the domain
in the certificate.

Is that an unreasonable understanding? It seems directly supported in the
text of the draft, Section 5.4,
https://tools.ietf.org/html/draft-friel-acme-subdomains-03#section-5.4 ,
example 1.


>
>     >> The client does not demonstrate control over lex.example using
> dns-01 when
>     >> it
>     >> asks for so.me.comp.lex.example.
>
>     > Is that not literally what this draft is proposing (e.g.
>     >
> https://tools.ietf.org/html/draft-friel-acme-subdomains-03#section-5.2 ) ?
>
> It demonstrates control (during the authorization) for lex.example, which
> allows it to fullfil orders for so.me.comp.lex.example.
>
> Your line of questioning implies you think the reverse.
> 5.2 clearly shows authorization for example.org, followed by an order for
> sub.example.com


I am again at a loss for what you mean here / what you are attributing to
me. Equally, I'm hoping that the "example.org" / "sub.example.com", as I
cannot make any sense of what you said otherwise.

As to your statement about me thinking the reverse, I'm hoping you can
perhaps rephrase the following paragraph in Section 5.1:

   It may make sense to use the ACME pre-authorization flow for the
   subdomain use case, **however, that is an operator implementation and
   deployment decision.**  With the ACME pre-authorization flow, the
   client could pre-authorize for the parent domain once, and then issue
   multiple newOrder requests for certificates for multiple subdomains.

With the section in emphasis (**), it seems clear that this draft is not
prescriptive as to whether the example in Section 5.2 (the
"pre-authorization flow") needs to be required.

To try to be clearer, since it seems you and I may be talking past each
other and have been for some time, I'm considering the following flow:

- POST /newOrder "so.me.comp.lex.example"

Where the server needs to determine the appropriate set of authorizations
to return for this case and the set of challenges within those
authorizations. Again, this seems directly supported by Section 5.4 of the
draft,
https://tools.ietf.org/html/draft-friel-acme-subdomains-03#section-5.4 ,
example 1.


>     > In the pre-auth flow, the client affirmatively requests
> "lex.example" (In
>     > the illustration here, "example.org"), in order to authorize
>     > "so.me.comp.lex.example" (in the illustration here, "sub.example.org
> ").
>     > That is, the client explicitly declares their naming scope.
>
>     > However, in the pre-auth flow, you have to know that the client will
> want
>     > to be able to /newOrder for "sub.example.org" (as Step 2 in the
>     > illustration), since you shouldn't return http-01 authorizations in
> Step 1
>     > for this case.
>
> how are http-01 authorizations involved?
> The client asks for dns-01 authorizations.


Can you point me to the text in the draft you're using to support this
statement? As far as I can tell, there's nothing in the draft to indicate
that the client asks for dns-01 authorizations. Further, there's nothing as
far as I can tell that prohibits, restricts, or even allows a CA to
indicate that an http-01 authorization would not be allowed.

v2.23.0 | Report a Bug | By Email