Re: [Acme] Wildcard certificate via http-01
Thomas-Louis Laforest <tomlaf@hotmail.com> Wed, 24 January 2018 23:37 UTC
Return-Path: <tomlaf@hotmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D662812D830 for <acme@ietfa.amsl.com>; Wed, 24 Jan 2018 15:37:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.127
X-Spam-Level:
X-Spam-Status: No, score=-1.127 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZmZxmVEYJLLg for <acme@ietfa.amsl.com>; Wed, 24 Jan 2018 15:37:54 -0800 (PST)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-oln040092003021.outbound.protection.outlook.com [40.92.3.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78A1E12D7F4 for <acme@ietf.org>; Wed, 24 Jan 2018 15:37:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/5Hb+1M16OyMmck6Wy8xJnWvG3uKq+SV5fri0UHnnAc=; b=O+xlXoGwpvuTC2w9xRWCzYR3tneR1V1pOyPj7QbrVdxAaZA9gv5nibKvgMl3WlvyweBpOP2nbklv+J+ldeqkWRxGcyBvZlIDVzm3DLY8X3gt40/IKK4sknRf4KOl/bGxcjW0OFABw6+zHU5DAeAMFWngGZjl+1OqjBEWQBYBg9KtwZ2cieNG4VGeU3ImLVEjn0ocsLL/CpADiR5+wF4uxp0q3hlnXiYoKyZZKbVOPPufsn9blANQZRwJ6nX0R5w/pkr/SaLu5AKlo7GakIjtPBlT94OBMeOwNnDh1BUt+WpLu/usHI3iUkItiIvHmJEWGpG8c3rP14OiY6U0hMqxfg==
Received: from SN1NAM02FT055.eop-nam02.prod.protection.outlook.com (10.152.72.53) by SN1NAM02HT104.eop-nam02.prod.protection.outlook.com (10.152.73.127) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.428.12; Wed, 24 Jan 2018 23:37:53 +0000
Received: from BN6PR22MB0643.namprd22.prod.outlook.com (10.152.72.54) by SN1NAM02FT055.mail.protection.outlook.com (10.152.72.174) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.444.13 via Frontend Transport; Wed, 24 Jan 2018 23:37:53 +0000
Received: from BN6PR22MB0643.namprd22.prod.outlook.com ([10.172.200.151]) by BN6PR22MB0643.namprd22.prod.outlook.com ([10.172.200.151]) with mapi id 15.20.0428.019; Wed, 24 Jan 2018 23:37:53 +0000
From: Thomas-Louis Laforest <tomlaf@hotmail.com>
To: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] Wildcard certificate via http-01
Thread-Index: AQHTlV5vkJ+p1qszCUmjWDNXM2GRdKODrfbJ
Date: Wed, 24 Jan 2018 23:37:52 +0000
Message-ID: <BN6PR22MB06434F1CBA69708ACA00E206D2E20@BN6PR22MB0643.namprd22.prod.outlook.com>
References: <95fc4d5d-8f5f-7f5a-0e36-d1e4b45178b8@leisink.net>
In-Reply-To: <95fc4d5d-8f5f-7f5a-0e36-d1e4b45178b8@leisink.net>
Accept-Language: fr-CA, en-US
Content-Language: fr-CA
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:0B49101585CF51BD6C9B4E4EB56548AA34782FA45D6989A66692626DCCBC91BE; UpperCasedChecksum:94750A65DBBB60CE9E634117EEE8C083D2AF7368A38A1EAAFDB89D41EF22F928; SizeAsReceived:6973; Count:46
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [Fyl3dXQIMbn/ILblHAxP/bZEnkQy2AVE]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN1NAM02HT104; 6:0RisfTi9gx8zOVmk4DXIhIfU0f8HLVukySeD07SaUG48hZzgEIalZF82udGorqG9qRCWzXdZLG0pt9C3YNXcvTCDLqL6FfRLdJqye+qXOrrDcAAz8bUrMi13SW8Elo5KD0137FOkZETWAK0Avj1nBEOpbx8BSGnrPqJwvsIy9klPkvAZldR9ueq8Eyl78Ok1XynZ3xcrd4GoY4UxAoQhaSQnsMwqND5OTUr7yAMsQ/yV4tI5SqKWSvjblS1eRy8zSMLf4yE9CkeA5/5W46X7P7VfK72DIc6L1vM7wO1apwLx2rdWe37VKgW9ADtsCkS6ue0Ma3mlLFLTXJDuhvlmxd+ae+X8Pr+tQ5TwPNmB1UM=; 5:/Ujjv+7SMMbcITafBCC8VLtLIQ9XoO3BdBhURWomqITzxWLBZCTwFpGr1aXY368f4m85DnBCkzFd/eTRaUHx+vAN4+t9wExR92fHr30PMcCKJ8zqiBVAuFp3YWP72WVJIy/EOecUETyqbm2ahOgELADS/7cw07LFcYUp+7vrIVo=; 24:bkeQRUAKtXldEpTPKpa7M0HdDe5a6dclW4FxxDZlPqWv+lVl0W2I7nOaKKh/YGOIH/cyE3BVBLjnDXzXleJ7aoOS9ygrh8gA/RG+UpI0WL8=; 7:d5al140n/x3fGznQz+D9ojfZcnvYgaLBoS0CXwgv1maxYyX0r9zMAtOj+l+CxT99tjJAIYSky54xBFtJ+QvNqjo5gooeFTOtTypHPlAwbfLWfmsR00f4TaafoGGaG18W6rdp4fFkb4HIbqF85BDBtILNkXXpfSttPhIPkX61B1LECCQ7k2fyoiO4YWQvi+Vz4tiQXjPo0zL9WyB636c2TQ7sLQh0BenmeJews4tacnm8GvcY5lkQ98loHq5oTUgB
x-incomingheadercount: 46
x-eopattributedmessage: 0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1603101448)(1601125374)(1701031045); SRVR:SN1NAM02HT104;
x-ms-traffictypediagnostic: SN1NAM02HT104:
x-ms-office365-filtering-correlation-id: 66c583c2-2123-4164-c298-08d563837cee
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031); SRVR:SN1NAM02HT104; BCL:0; PCL:0; RULEID:; SRVR:SN1NAM02HT104;
x-forefront-prvs: 056297E276
x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT; SFP:1901; SCL:1; SRVR:SN1NAM02HT104; H:BN6PR22MB0643.namprd22.prod.outlook.com; FPR:; SPF:None; LANG:;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 66c583c2-2123-4164-c298-08d563837cee
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jan 2018 23:37:52.8979 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1NAM02HT104
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/iCNBfSjr652WDZRikqJTY1f7cFI>
Subject: Re: [Acme] Wildcard certificate via http-01
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2018 23:43:58 -0000
Good day, I’m new to this so, if the comment is not appropriate I’m sorry. I do know of use case where the wild card certificate is requested as a way for a domain owner to have SSL protection for all his current and future sub domain without having any intention to actually host a wildcard http server but numerous specific subdomain. It may event sure this is a good idea as this will expose, at least during the authentication phase, a web service to have the load of any miswritten subdomain web activity. I’m not sure if access to a specific http subdomain could be an effective way to demonstrate effective full domain controls. For exemple, let say (no idea if this is active somewhere) a well know organisation have a wildcard dns setting that goes to a subcontractor to catch all mis label subdomain entry, this does not mean the subcontractor http services has the authority to have a wildcard. (Let imagine a bank that want to monitor miss label sub-domain). Thomas-Louis Laforest > Le 24 janv. 2018 à 16:58, Hugo Leisink <hugo@leisink.net> a écrit : > > Hi, > > While implementing ACMEv2 for Let's Encrypt, I noticed that wildcard > certificates can only be obtained via dns-01. Because it's not possible > for me to do that automatically, I proposed them a way to do it via > http-01. After they said that 'it might work', they told me to contact > you about this. > > My idea is that when a client requests a wildcard certificate > (*.domain.tld), the CA server offers a challenge and requests that > challenge via HTTP while using a random hostname (<long random > string>.domain.tld). Because only a webserver with a website configured > for *.domain.tld and with a properly configured DNS can respond to this > challenge, it's enough proof that the request for a wildcard certificate > is valid. Perhaps the CA server can do multiple requests with a new > randomly chosen hostname for more proof. After all, they will all end up > at the same website. > > The discussion about this at the Let's Encrypt forum can be found here: > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.letsencrypt.org%2Ft%2Fwildcard-certificates-via-http-01%2F51223&data=02%7C01%7C%7C483c89afae754bcc814808d56375907e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636524278950348118&sdata=bfdowfZL%2F7Mh3VHAK3KI3KZPVwzaILBvVc9O%2BtnGwq0%3D&reserved=0 > > I really like to hear your thoughts about this. > > Kind regards, > Hugo Leisink > > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Facme&data=02%7C01%7C%7C483c89afae754bcc814808d56375907e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636524278950348118&sdata=embcPP7vMGE%2FWEng4QrFi%2FP5hLYH0QB95EyzaIL73HI%3D&reserved=0
- [Acme] Wildcard certificate via http-01 Hugo Leisink
- Re: [Acme] Wildcard certificate via http-01 Matthew D. Hardeman
- Re: [Acme] Wildcard certificate via http-01 Thomas-Louis Laforest
- Re: [Acme] Wildcard certificate via http-01 Matthew D. Hardeman
- Re: [Acme] Wildcard certificate via http-01 Alan Doherty
- Re: [Acme] Wildcard certificate via http-01 Matthew D. Hardeman