Re: [Acme] scope in dns-account-01 and dns-02 challenge
Jacob Hoffman-Andrews <jsha@letsencrypt.org> Thu, 21 March 2024 18:44 UTC
Return-Path: <jsha@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42648C151071 for <acme@ietfa.amsl.com>; Thu, 21 Mar 2024 11:44:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id njgR03UizJ8k for <acme@ietfa.amsl.com>; Thu, 21 Mar 2024 11:44:49 -0700 (PDT)
Received: from mail-yw1-x112f.google.com (mail-yw1-x112f.google.com [IPv6:2607:f8b0:4864:20::112f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B58BC14F6AD for <acme@ietf.org>; Thu, 21 Mar 2024 11:44:49 -0700 (PDT)
Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-610e272028aso19355747b3.0 for <acme@ietf.org>; Thu, 21 Mar 2024 11:44:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; t=1711046688; x=1711651488; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=aYVoZ9xKM8Yc9pZw1yqgNRXBdCnLlLXzzVjKIifNTsU=; b=MBlsHroJmHfxLvMnC3kCHPjVXJcadyHOXMgmoUArv1vdwnexqMIyw+dQTbQaMvJIzU NOIhGFgcMw4GLN/GSQ0tijV4H5qhpLP1D3UhB0WjnI0YAywzVnTiMj470WnNR8Jz0QgY j5xerZ8nL3/OFmCY3U3mSvJE8LcTqVXt71Fik=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711046688; x=1711651488; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=aYVoZ9xKM8Yc9pZw1yqgNRXBdCnLlLXzzVjKIifNTsU=; b=f2U8MnIScP163aBAS+pIWjW3e6sYRMYsYDLG559E1qYu3sA1ZJhVI7eesxuJZEctXv sO4Z1osQkis/k30bzWUq1ptmdtc8lIq0U1qYWoIiEt5MTwVLneNVz3BBvu13SUOT3hX1 0TQ2nBOTHwEEagDnAK3pONHQkKb892h0vUgqtY5nnFcxjri30/hQJlIngrLNds8dI9q2 bx3nC7pon3gYQriJJOh/8J5EUdAGuj29MxWDt/IEK3CWoJfXnMYTwcyeK7Q0fWWoArUC V+kajjAXzMOVoEh+hAV2mKrKPBcIsjIUwhwDRWGCpLhWxyrhLwrqTfs4LBjD8elwyGqh t3JQ==
X-Gm-Message-State: AOJu0YykTMo9rDpSMNxmF/G1OQ8UwX8lvdz6wVOyRSm7+r9KK2VCTF0w cAInXpcDdXJROTU7tDYQgu7tSjH650egHfZM96ieGKEGFgZ86e/0nwhKls2Gb8Vk1N6/d7tz1o2 UUJmdwFtqz5fQe49ZrIGHd/0r4MBQFb5TCV5BsQ==
X-Google-Smtp-Source: AGHT+IE80+wVYlf8e4fbb6IRELiqx1tJThFxUF6+4QY2w5EUszA701t41rp2biWebSJRpKr8LaIfAEdCGj272vhGn7U=
X-Received: by 2002:a81:a248:0:b0:611:160a:2f80 with SMTP id z8-20020a81a248000000b00611160a2f80mr346075ywg.4.1711046688417; Thu, 21 Mar 2024 11:44:48 -0700 (PDT)
MIME-Version: 1.0
References: <CAN3x4QkK6dFnoo0wfyCBf9_beuQf+Og9+EhoeYvMUbFaoGw8zw@mail.gmail.com> <7EB59D53-7CC4-4AD3-9652-56EA622D25EE@gmail.com> <CAN3x4QkrPT69=HMqB0cRVb6kocCQ3W0C+L1fXT1zN9dCPtaMUg@mail.gmail.com> <CAOG=JUJ9HGAOPVed1i09gsoPc+8qqk4T3sJVD7n_ZLP28deErA@mail.gmail.com> <ZfwLN3MtNEvcFlaz@LK-Perkele-VII2.locald>
In-Reply-To: <ZfwLN3MtNEvcFlaz@LK-Perkele-VII2.locald>
From: Jacob Hoffman-Andrews <jsha@letsencrypt.org>
Date: Thu, 21 Mar 2024 11:44:22 -0700
Message-ID: <CAN3x4QmEF7QOTidu8ooqNSPwcUFYjP=X2aHgpYg7kb1_ZpcYFA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: acme@ietf.org
Content-Type: multipart/alternative; boundary="0000000000000ec6940614301a8c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/kK23Uv3kN8pNhFuQT1oclqrHTSE>
Subject: Re: [Acme] scope in dns-account-01 and dns-02 challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 18:44:53 -0000
Ilari, you've posted some useful extrapolations on how domain scopes could work. I'm proposing to get rid of domain scopes. :D To get us on the same page, would you mind posting some of the specific use cases you're envisioning where domain scopes would be used in an ACME environment? My existing belief is that domain scopes are only useful when validation is non-automated, but I could be wrong here. On Thu, Mar 21, 2024 at 3:26 AM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Wed, Mar 20, 2024 at 08:57:11PM -0400, Amir Omidi wrote: > > I do think that this draft can do a better job describing the scope. I > > think we should make it more explicit for the client to understand which > > one will be used. I feel like splitting this challenge into three (and > > potentially more, as extra scopes may or may not be added into the > future) > > might be a little too noisy. > > > > What do you think about a `scope` field in the authorization resource the > > server sends creates/communicates with the client? Clients opting into > > dns02, or dns-account-01 will use this to know exactly what scope the > > server is expecting from them for their ACME order. > > The problem with this is that there might be multiple valid scopes, not > just a single valid scope. And clients often have only one that will > work, the rest will fail (often in rather bad ways). > > The obvious scope is is host/wildcard on the target name. However, if > CA allows domain scope, thee will be N+1 more, where N is the maximum > allowed strip (might be 0, might be more). > > In another mail, I proposed: > > - If CA allows domain scope, it sends maximum allowed strip in the > challenge. Otherwise only host/wildcard scope is allowed. > - If client selects domain scope, it sends strip used in the POST to > the challenge URL. Otherwise host/wildcard scope is selected. > > > > > -Ilari > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Seo Suchan
- [Acme] scope in dns-account-01 and dns-02 challen… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Amir Omidi
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Jacob Hoffman-Andrews
- Re: [Acme] scope in dns-account-01 and dns-02 cha… Ilari Liusvaara