Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)

"Owen Friel (ofriel)" <ofriel@cisco.com> Mon, 20 January 2020 11:48 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C268D120111 for <acme@ietfa.amsl.com>; Mon, 20 Jan 2020 03:48:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=XGofCyDS; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=StsrV77F
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y_bVQ-Q-fTel for <acme@ietfa.amsl.com>; Mon, 20 Jan 2020 03:48:46 -0800 (PST)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8FA5120120 for <acme@ietf.org>; Mon, 20 Jan 2020 03:48:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6664; q=dns/txt; s=iport; t=1579520925; x=1580730525; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=nMXCaTjxCfh/46DzAkBW10JFX0QmjVDEWd8OO6fMAd8=; b=XGofCyDShBHgvXuaqs+iw0CXgLchkFAmOOkoeHyXXdm/JFMtsCoCrZg6 dqOToXdBieuEdwcCQh/m6m1YVuZ+G5NUiCR/zeR9u/MnT50z+phsWZBm3 gk8EKBe5U7t2v4uVUgBgk/pAE6DjgpVHvbTBG4whIwRWVzZnnjoFRMvHF s=;
IronPort-PHdr: =?us-ascii?q?9a23=3AspwJwBatpFSwAzD79fhO2Bj/LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el20Q6bRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn?= =?us-ascii?q?1NksAKh0olCc+BB1f8KavtYTY7EcBqX15+9Hb9Ok9QS47z?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CdCQAPkyVe/5JdJa1lHAEBAQEBBwE?= =?us-ascii?q?BEQEEBAEBgXuBVFAFbFggBAsXEwqECINGA4p8ToIRmA6BQoEQA1QJAQEBDAE?= =?us-ascii?q?BGAsKAgEBhEACF4F2JDgTAgMNAQEEAQEBAgEFBG2FNwyFXgEBAQEDAQEQCwY?= =?us-ascii?q?RDAEBLAwLBAIBCBEDAQEBAwIfBAMCAgIlCxQBCAgCBAESCBqDBYJKAy4BAgy?= =?us-ascii?q?gHAKBOYhhdYEygn8BAQWBMwKDURiCDAMGgQ4qjBQagUE/gRFHgh4uPoJkAQE?= =?us-ascii?q?CAYEtARIBCRiDDjKCLJBVhgCZAQqCOYc9hUOJTIJHiAqQJo5eiGGSJQIEAgQ?= =?us-ascii?q?FAg4BAQWBaSJncXAVO4JsUBgNiAE4gzuFFIU/dAIBgSaKGYEiAYEPAQE?=
X-IronPort-AV: E=Sophos;i="5.70,341,1574121600"; d="scan'208";a="419611312"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 20 Jan 2020 11:48:44 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 00KBmiWq000584 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 20 Jan 2020 11:48:44 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 20 Jan 2020 05:48:44 -0600
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 20 Jan 2020 05:48:43 -0600
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 20 Jan 2020 05:48:43 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=L9ncMNOToWbtfS9wra++kIEVnY6TQ+VqDhWNekOs5/zb4Xsww5HpcfoeKc8/TGrRg5bqaVdzhOSyN94apIdeQ8ypZgeTpoCY45sqHL3MLF9UyC2g9bsmievCEQU4gqiLT5ApfrLbE1Kwerm0Yq6EVK4226nWqBdUIh3bGN7+nLQJBIEU1H4Dw2iDRnI1a++eGfMM6f7tX5NT9bu/4JX8+KOIyo0qCgJ+IITqnlI9pLJIJUHLPw70Vs5ozVVio8+2ISUVnuHIGc9CpM1vStVgLVYsw/uKBavGoNohNEj5RFnSbAmhaC/rSfX1NMnMpK0GEOIWN8cFYjBOrdmQD79Adw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nMXCaTjxCfh/46DzAkBW10JFX0QmjVDEWd8OO6fMAd8=; b=Qon8ID06GBqL/uR6Abj0xGnPu1KmvBgaPbPGmtukKSv512T0BKk2SY1En8AODXmhj8D0HVSGl1L/KYTrFDpRj+NLwNdCQboi2WBYKHfk3e8aqY0AVqhOOSFsp4y2FALmvANtDCJ6h0iWQLGvi1xEHJrdvIB7WFmIuEqqXnhUCd27VEgyKmBblsh3pYQehm6Nb88oCiytav//B6eVMH3pdBMVxStNO4DQryXm82xs/D3Q1Fc3WrG9BKBNpvcYxKbl4/Fh6ddmgtbUdkFMaFpe3LKfZpqWhNsrPjgnzDoHBwyak+3DB5zaZSsrsosarowBXAG+rbeLR8TeB35w81DGbg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nMXCaTjxCfh/46DzAkBW10JFX0QmjVDEWd8OO6fMAd8=; b=StsrV77FSRt7zVVUGW7v7GZoO8aMoX+A4dvej8N8nprLwYyP90tsdo6A/JeTIY+cXQXjPjbGnFdamUd/UGAi8tF0ewOx1wWA1qzyWaaMKHUpYcDEni3QieeNoYc+c78xxTu410GE4bC/z6HJ0QED60e0ZVsdYI6dibIrpNdAamw=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (20.179.150.76) by MN2PR11MB4351.namprd11.prod.outlook.com (52.135.39.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.19; Mon, 20 Jan 2020 11:48:42 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::d1b8:3e63:ead8:10c9]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::d1b8:3e63:ead8:10c9%7]) with mapi id 15.20.2644.024; Mon, 20 Jan 2020 11:48:42 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>, "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)
Thread-Index: AQHVz4eQxUsnt/Joaku87BnKLfeybQ==
Date: Mon, 20 Jan 2020 11:48:42 +0000
Message-ID: <MN2PR11MB3901D33CB72236ECF7BA437ADB320@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <MN2PR11MB3901512A25A395E684808FFBDB5F0@MN2PR11MB3901.namprd11.prod.outlook.com>
In-Reply-To: <MN2PR11MB3901512A25A395E684808FFBDB5F0@MN2PR11MB3901.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [64.103.40.28]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c78ffd2d-4808-45fb-cd54-08d79d9eb2ab
x-ms-traffictypediagnostic: MN2PR11MB4351:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MN2PR11MB43514EB8C99B4CE8AD800283DB320@MN2PR11MB4351.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0288CD37D9
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(376002)(396003)(366004)(136003)(39860400002)(199004)(189003)(316002)(110136005)(8676002)(81156014)(33656002)(71200400001)(66946007)(66476007)(66556008)(64756008)(66446008)(76116006)(55016002)(9686003)(6506007)(53546011)(52536014)(26005)(966005)(478600001)(186003)(2906002)(86362001)(5660300002)(81166006)(7696005)(8936002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4351; H:MN2PR11MB3901.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +Ibj9qng7JHHxc0y+Os/okrYdDUUe5dqBQgRL34Be+6uFwX7iCXcEt7RFwLTxxIvfJQVaKE7w9t1QS+ATzKO/PMcsXkeIVTt9zqSh4GbNhoOi4IhIvlUa8clOntL+/xM/0WjBzEOCj9egxGdwG9budaz8FY4J59HDiQzkiDY85FU0Xlv4KvVJJQRTxaTKegY0n69ddmXfFVcf7sGQ5/cCVqYywTpLaI46H3Gnz74KVKaNtuPbSYcETDSD8sr5sffNA94frWTBhCNzbe5jSFi+xIOTX1r6rtSZ9xPTZhzNZ385WddHCLYB7KzyVQzxaEHmp25i8I9VSAIYC+R7zwp4mKtj+aJB55ESPtGyrbbe7cPt4KlPKue1wH2qzjmgrS6+3dL/U6D+uEBryEY222kyzzrZpxjXw62rTWEejX61M80Gul7rloZOkDcAZmaRsp9qIIqwxCmn6mxcQJMnhaIxGVZt2P516WTeMMyp6xdeGTmauUOK9gfd+4csRW+WLSCKg5vzWl7Z1bfi3hzMyO/2w==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: c78ffd2d-4808-45fb-cd54-08d79d9eb2ab
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jan 2020 11:48:42.2712 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: qOIlfk4QwRjfggYt00d5CjVIPYnteXoT1EHLdjOGZW4cmVxA+9xw1yYpnLdxAOKmxbULMznxOn0s1EOFwbaalA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4351
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: rcdn-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/lgKu0dTiQ8hmZcSx--J1Kiyi8BM>
Subject: Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2020 11:48:51 -0000

FYI, https://tools.ietf.org/html/draft-friel-acme-subdomains-01 documents the proposed new authorization object field "basedomain"


> -----Original Message-----
> From: Acme <acme-bounces@ietf.org> On Behalf Of Owen Friel (ofriel)
> Sent: 06 December 2019 15:41
> To: Salz, Rich <rsalz@akamai.com>om>; acme@ietf.org
> Subject: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for
> adoption draft-frield-acme-subdomains)
> 
> Any comments on this email on how to explicitly distinguish between wildcard
> and subdomain authorizations, which hopefully addresses ekr's mic comments.
> 
> 
> > -----Original Message-----
> > From: Acme <acme-bounces@ietf.org> On Behalf Of Owen Friel (ofriel)
> > Sent: 26 November 2019 22:51
> > To: Salz, Rich <rsalz@akamai.com>om>; acme@ietf.org
> > Subject: Re: [Acme] Call for adoption draft-frield-acme-subdomains
> >
> > DNS wildcards are mentioned in 3 sections in RFC8555 (in addition to
> > the IANA Considerations section):
> >
> > 1. https://tools.ietf.org/html/rfc8555#section-7.1.3 Order Objects:
> >
> >    Any identifier of type "dns" in a newOrder request MAY have a
> >    wildcard domain name as its value.  A wildcard domain name consists
> >    of a single asterisk character followed by a single full stop
> >    character ("*.") followed by a domain name as defined for use in the
> >    Subject Alternate Name Extension by [RFC5280].  An authorization
> >    returned by the server for a wildcard domain name identifier MUST NOT
> >    include the asterisk and full stop ("*.") prefix in the authorization
> >    identifier value.  The returned authorization MUST include the
> >    optional "wildcard" field, with a value of true.
> >
> > 2. https://tools.ietf.org/html/rfc8555#section-7.1.4 Authorization Objects:
> >
> >    If an
> >    authorization object conveys authorization for the base domain of a
> >    newOrder DNS identifier containing a wildcard domain name, then the
> >    optional authorizations "wildcard" field MUST be present with a value
> >    of true.
> >
> > 3. https://tools.ietf.org/html/rfc8555#section-7.4.1 Pre-authorization
> >
> >    Note that because the identifier in a pre-authorization request is
> >    the exact identifier to be included in the authorization object, pre-
> >    authorization cannot be used to authorize issuance of certificates
> >    containing wildcard domain names.
> >
> > For the subdomains use case, it looks as if it makes sense to define a
> > "parentdomain" boolean flag (or "basedomainname" or similar) to be
> > included in the authorization object for a domain that authorizes
> > subdomain certs. The relevant CAB guidelines are quoted in
> > https://tools.ietf.org/html/draft-friel-
> > acme-subdomains-00#appendix-A.
> >
> > The authorization object would then explicitly indicate that this is a
> > base domain authorization and thus subdomain certs may be issued off
> > this. This is conceptually similar to the current "wildcard" flag
> > which indicates that a wildcard cert may be issued off the identifier
> > in the object, and would definitively differentiate wildcard vs. base
> > domain vs. explicit domain authorizations.
> >
> > Item #3 from section 7.4.1 Pre-authorization is already called out as
> > a substantive change from RFC8555: i.e. the identifier in the
> > authorization object may be different from the identifier in the newAuthz
> object.
> >
> > > -----Original Message-----
> > > From: Acme <acme-bounces@ietf.org> On Behalf Of Salz, Rich
> > > Sent: 26 November 2019 21:53
> > > To: acme@ietf.org
> > > Subject: Re: [Acme] Call for adoption draft-frield-acme-subdomains
> > >
> > > WRONG.  My mistake.
> > >
> > > Please discuss this, especially the subdomains/wildcard issues.
> > > This is *NOT* a call for adoption.  We will take this up in Vancouver, IETF
> 107.
> > >
> > > From: Rich Salz <mailto:rsalz@akamai.com>
> > > Date: Tuesday, November 26, 2019 at 4:51 PM
> > > To: "mailto:acme@ietf.org" <mailto:acme@ietf.org>
> > > Subject: [Acme] Call for adoption draft-frield-acme-subdomains
> > >
> > > This email starts a ten-day call for adoption. There was consensus
> > > in the room at IETF 106 to adopt this as a working group document.
> > > If you disagree with that, or have any other strong feelings, please
> > > post to the list before the end of next week.
> > > Also discussed was the need for some additional clarity around
> > > subdomains and the existing wildcard challenges.
> > >
> > > Thank you.
> > >
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme