Re: [Acme] scope in dns-account-01 and dns-02 challenge
Jacob Hoffman-Andrews <jsha@letsencrypt.org> Tue, 19 March 2024 23:35 UTC
Return-Path: <jsha@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36470C151701 for <acme@ietfa.amsl.com>; Tue, 19 Mar 2024 16:35:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id URFblzl9ouG3 for <acme@ietfa.amsl.com>; Tue, 19 Mar 2024 16:35:45 -0700 (PDT)
Received: from mail-yb1-xb2a.google.com (mail-yb1-xb2a.google.com [IPv6:2607:f8b0:4864:20::b2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E6ACC151991 for <acme@ietf.org>; Tue, 19 Mar 2024 16:34:13 -0700 (PDT)
Received: by mail-yb1-xb2a.google.com with SMTP id 3f1490d57ef6-dbed0710c74so4944959276.1 for <acme@ietf.org>; Tue, 19 Mar 2024 16:34:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; t=1710891252; x=1711496052; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+3DObkoNJ5OUHtjwe+zyz+SSJu84tOeVnO+p8Q3JqMg=; b=ei1Qp4BGEjuezZhsBvOKGk5a4Z0JP8zz6jgQQF784qsL8BX90HvGutEQXbH5zVeJJd 5lrJp+6377NwaZam0wnFosxKM4FQ8uadnNPFyfz/NZpa5rm8RBHkZ4rLtdnq04ZCufpJ 9/sYa6U1JgHWioynU1Pydut78bxTllC56ghik=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710891252; x=1711496052; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+3DObkoNJ5OUHtjwe+zyz+SSJu84tOeVnO+p8Q3JqMg=; b=ugy9zNQBrOKCPJbAHkK0H8SO9PuzSLE9Lm4++k28S7GnPjMhkuBLLz3YpE4/e6M/sL xO2dNGz4XJoEcTlWbquClZLXlHcJDzJiFevQzuC2hZlSaxPAgzZmBGjtH0wz/chc/Mlv 19iq5C+urbOBAPhqBnrNhk5jfc9K6YK8U6CfGOPh1BkU4IOQhU6fD6UU+3ogrFlwPFBk 4O8+MpXFb5q1RulKF/GaFq1pl2kiw4Rti4ipecrA1uf5yRXOXq/JdfLp97vpRNj3KwIR opHbbsmMhGMaZooyfFhA6PJk3upPmMPjtWqSnT6SOu0uFsDj2Pz4aZSKxAU0g9B/aipY K5aw==
X-Gm-Message-State: AOJu0YzemHk4CkJMS54jTe8Bmcy+feSfQCj0b+Sr3HCBrNN8lOfmSvCT cAMP3dGRlECu8mFwdd6MqaKWQxPvNTSkZxX0POFZLquISihBQKrBTWOVIQbi0zHkIav5ZTo+kaY GeFXIP9XPa5jzZjNfUmJR6wTcTPfv6dKXWJUauBLhwXAANpdJyxQ=
X-Google-Smtp-Source: AGHT+IEvGfCmOr/bL1Oa4rGrgw/iO+MT6zMlsBj1TGgo6PNtwJL27Wgy0Xxy4U7q5+zumLHpNpJv3Vv8zh1eOXXVai4=
X-Received: by 2002:a25:6b0b:0:b0:dc7:3265:37a9 with SMTP id g11-20020a256b0b000000b00dc7326537a9mr11337529ybc.37.1710891251961; Tue, 19 Mar 2024 16:34:11 -0700 (PDT)
MIME-Version: 1.0
References: <CAN3x4QkK6dFnoo0wfyCBf9_beuQf+Og9+EhoeYvMUbFaoGw8zw@mail.gmail.com> <7EB59D53-7CC4-4AD3-9652-56EA622D25EE@gmail.com>
In-Reply-To: <7EB59D53-7CC4-4AD3-9652-56EA622D25EE@gmail.com>
From: Jacob Hoffman-Andrews <jsha@letsencrypt.org>
Date: Tue, 19 Mar 2024 16:33:45 -0700
Message-ID: <CAN3x4QkrPT69=HMqB0cRVb6kocCQ3W0C+L1fXT1zN9dCPtaMUg@mail.gmail.com>
To: Seo Suchan <tjtncks@gmail.com>
Cc: acme@ietf.org
Content-Type: multipart/alternative; boundary="00000000000052d31f06140be946"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/kJRZV7wS-Uc0C7Zbzi426pIh6v4>
Subject: Re: [Acme] scope in dns-account-01 and dns-02 challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 23:35:49 -0000
Seo Suchan said: > Would it be illegal to server probe both scope and pass if there is intended token? This is a possibility, but it's inefficient and I think it's likely to lead to implementation bugs. Better to be clear and explicit on both sides. Amir Omidi said: > My intention that I should probably clarify in the draft is that the server picks based on the Authorization object Yep, I figured the intention was something like this. We could call this "Server and client follow the same algorithm to arrive at the same scope." Also a valid approach! But I think we get benefits from not having that algorithm, even as simple as it is. For instance, the BRs say of some methods: > Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. If host-scoped, wildcard-scoped, and domain-scoped challenges were separate types, it would be straightforward to adapt this language to the new challenge types. Ilaria Ilusvaara said: > The client also needs to know the acceptable domains, and needs to select the domain to use. The domain to use is part of the authorization object: the identifier value (https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.4). It is chosen by the server. I think what you're getting at is that the client might feel like "I requested a new-order for www.example.com, and the server created an authorization object with an identifier value of www.example.com. But I really wish the server would have created an authorization object with an identifier value of example.com, and I would complete domain-scoped DNS challenge." This would allow the full expressiveness permitted by BRs 3.2.2.4.7 DNS Change, which has the "MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN" language. I'd actually like to go the other direction: What if we only specify host-scoped and wildcard-scoped validations? Domain-scoped validations make sense when validations are very manual and time consuming, and you are trying to strictly minimize them. But ACME tries to make validations easy and quick, so it doesn't matter if you have to do more of them. There are still important use case for wildcard certificates, but I think there is less need for domain-scoped validations in ACME.
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Seo Suchan
- [Acme] scope in dns-account-01 and dns-02 challen… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara