Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)

Alan Doherty <> Tue, 21 January 2020 17:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 89D6C1201E5 for <>; Tue, 21 Jan 2020 09:00:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.614
X-Spam-Status: No, score=-1.614 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.275, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id i5XM1fUB4cwK for <>; Tue, 21 Jan 2020 09:00:51 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EF3D2120273 for <>; Tue, 21 Jan 2020 09:00:45 -0800 (PST)
Received: from ([]:2627 by with esmtpsa(TLSv1:DHE-RSA-AES256-SHA:256) (auth-as tel1) (nexus (envelope-from <>) id 1itwtI-00072J-HN ; Tue, 21 Jan 2020 17:00:41 +0000
X-AD-RPFS-HEAD: for info on below codes
X-Mailer: QUALCOMM Windows Eudora Version
Date: Tue, 21 Jan 2020 16:59:42 +0000
To: Ryan Sleevi <>, "Owen Friel (ofriel)" <>
From: Alan Doherty <>
Cc: IETF ACME <>,Felipe Gasper <>
In-Reply-To: <CAErg=HH+CzVuXL8GTDF9S64ZcCmQU3wrBVrp528NPEj56fUbSg@mail.g>
References: <> <> <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <>
X-VIRUS: NONE {no virus found, This is no guarentee}
Archived-At: <>
Subject: Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Jan 2020 17:00:55 -0000

At 13:04 21/01/2020  Tuesday, Ryan Sleevi wrote:

>On Tue, Jan 21, 2020 at 7:14 AM Owen Friel (ofriel) <<>> wrote:
>> Also, the linked document states:
>>Â  Â  The call flow illustrates the DNS-based proof of ownership mechanism,
>>Â  Â  but the subdomain workflow is equally valid for HTTP based proof of
>>Â  Â  ownership.
>> Can’t I have HTTP access to a base domain’s website without having access to a
>> subdomain’s, though? 

err yes you can (easily)
I as a website provider, have access to the http base domains of many customers (how we obtain/refresh the SAN certs that keep their websites available) I do not (and do not want/need access to create wildcard certs for their other sites elsewhere)
and customers do not assume their web host provider needs a lot of trust

I (separate hat) as a dns provider (separate set of customers some overlap) can access their basedomain to create wildcards, but as i could also repoint their other sites elsewhere (here for long enough to http authenticate them too, or to a reverse proxy to mitm them etc) this risk is omnipresent (why you should ensure your dns hoster is above reproach and has a small staff, here its 2 ppl with access to the dns servers)
and why dns hoster is usually seriously considered as largest risk in terms of Internet vulnerability

>I thought that was the reason why ACME limits wildcard
>> authz to DNS.
>[ofriel] Daniel has clarified this already. Its a Lets Encrypt, not an ACME limitation.
>Although the CA/Browser Forum / Browser Stores have repeatedly discussed forbidding it. That is, allowing the HTTP and TLS methods of validation to only be scoped for the host in question (and potentially the service in question, if we can work out the safe SRVName transition, due to the interaction of nameConstraints and policy)
>Would it be simpler to remove the statement from the draft, rather than try to clarify equally valid refers to the technology without commenting on the policy?
>Acme mailing list