IETF Logo Mail Archive

Re: [Acme] scope in dns-account-01 and dns-02 challenge

Jacob Hoffman-Andrews <jsha@letsencrypt.org> Thu, 21 March 2024 18:42 UTC

Return-Path: <jsha@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 166FEC14F6AD for <acme@ietfa.amsl.com>; Thu, 21 Mar 2024 11:42:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZ4vUjzpbF-X for <acme@ietfa.amsl.com>; Thu, 21 Mar 2024 11:42:43 -0700 (PDT)
Received: from mail-yw1-x1135.google.com (mail-yw1-x1135.google.com [IPv6:2607:f8b0:4864:20::1135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 395A4C14F702 for <acme@ietf.org>; Thu, 21 Mar 2024 11:42:43 -0700 (PDT)
Received: by mail-yw1-x1135.google.com with SMTP id 00721157ae682-609fb19ae76so14669547b3.2 for <acme@ietf.org>; Thu, 21 Mar 2024 11:42:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; t=1711046562; x=1711651362; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+zqadNCVcfOzvQZmaZoSDa5ie1x3+AMNcJrJDJNXY5M=; b=Qt7nigw13WZeVdp37EItAyOrXJSTEhxgEwzd24D19sQppSzk4wLdkg3aanQlq7CI12 8KFDcwJ18HcjNH/uRZL5pq4EESjT9apJjy8eRGBgSoDKiq1CnHrvoiHGzP5hgDeZ7MyC hDvjT67oq897Y8MBarPPQgDe9dUR74SapCyr0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711046562; x=1711651362; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+zqadNCVcfOzvQZmaZoSDa5ie1x3+AMNcJrJDJNXY5M=; b=r18Bhr5KhTA1WtA3DDNLMZv7UpvqUSVFLN3N95lFJjHarPsKPxd6IW4gJlDlGf2dzZ VlksMhxBcL8O/onkvDxUcBiYoPWXwM74358ByY8d0vVzPoMZdbimmA1Z+BR4xBQPX5FT aQ1Q4G+c5S14JxuacAPrB328AapEBpUVG6oD6L0v/HMUvfVs/fvxNjtofDGmeool9H/T liKfzmU5tWk/iwB8Cxto2Tbx/fKoCGdUPh75/m4iVl3n4ew2B54muv7DZWSHDyOXEURs MAc4Q8goJdsVLZ8dLLtgkjgjqYXQ4fO+gMbivK378CpByMiujJ7Hvxyeg8RKHxVk1lx1 LI/Q==
X-Forwarded-Encrypted: i=1; AJvYcCVEZ2SM/eEpZijz4hYWPCgntV3fIbkjjEEu6TEJCMHvTwVnjOvltrr0xOPlELBWrqTcvyGVXzdYWRkIxtZs
X-Gm-Message-State: AOJu0YxXeXDDK2OGFYqlbnA4QQdl1nDX7T3iKkz+z7PQa9CyO9OVmYBG abXz7Zp6mIatSz900ULNO1mj6CgBGP8GaRvV4JUi6OJTX4coEISQbozfzewhVBLZ+1uFkGXnaLS BmkHLFoq+zJhvOpzqMzqxpD3eQ5qWiKbyX0G/z4V6xYpQRliC
X-Google-Smtp-Source: AGHT+IHKVGfFOsr9W66/cHw1rtF6Yos82SGvzt6yhBTksFTrFo2jlhwjC0TuyPHxZBKkJGIUzWh1LVItiJI2hQpIsvU=
X-Received: by 2002:a0d:cdc5:0:b0:60a:4fd7:f1d4 with SMTP id p188-20020a0dcdc5000000b0060a4fd7f1d4mr93464ywd.24.1711046562357; Thu, 21 Mar 2024 11:42:42 -0700 (PDT)
MIME-Version: 1.0
References: <CAN3x4QkK6dFnoo0wfyCBf9_beuQf+Og9+EhoeYvMUbFaoGw8zw@mail.gmail.com> <7EB59D53-7CC4-4AD3-9652-56EA622D25EE@gmail.com> <CAN3x4QkrPT69=HMqB0cRVb6kocCQ3W0C+L1fXT1zN9dCPtaMUg@mail.gmail.com> <CAOG=JUJ9HGAOPVed1i09gsoPc+8qqk4T3sJVD7n_ZLP28deErA@mail.gmail.com>
In-Reply-To: <CAOG=JUJ9HGAOPVed1i09gsoPc+8qqk4T3sJVD7n_ZLP28deErA@mail.gmail.com>
From: Jacob Hoffman-Andrews <jsha@letsencrypt.org>
Date: Thu, 21 Mar 2024 11:42:16 -0700
Message-ID: <CAN3x4QkF_ZUotFfq+e+23pY5ktPi1eMY+KFt6JBgbAHix4=vWQ@mail.gmail.com>
To: Amir Omidi <amir=40aaomidi.com@dmarc.ietf.org>
Cc: Seo Suchan <tjtncks@gmail.com>, acme@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008b41490614301280"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/l6g9GObNt8HBdlUH4QVN5KeW5Dk>
Subject: Re: [Acme] scope in dns-account-01 and dns-02 challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 18:42:47 -0000

On Wed, Mar 20, 2024 at 5:57 PM Amir Omidi <amir=
40aaomidi.com@dmarc.ietf.org> wrote:

> I feel like splitting this challenge into three (and potentially more, as
> extra scopes may or may not be added into the future) might be a little too
> noisy.
>

Combined with my other proposals, we only wind up with two total challenge
types: `dns-account-host-01` and `dns-account-wildcard-01`. I propose to
get rid of domain scopes and the `dns-02` challenge type.

What do you think about a `scope` field in the authorization resource the
> server sends creates/communicates with the client? Clients opting into
> dns02, or dns-account-01 will use this to know exactly what scope the
> server is expecting from them for their ACME order.
>

This works, and is closest to your intention with the current draft, where
the server decides the appropriate scope and the client has to abide by it.
I do think it will be more annoying to pull into the BRs, since they will
have to have language that says "This challenge type may be used to issue
for wildcard domains if the ACME server sent `"scope": "wildcard"`."

v2.23.0 | Report a Bug | By Email