Re: [Acme] working group call for adoption
Aaron Gable <aaron@letsencrypt.org> Wed, 01 September 2021 19:00 UTC
Return-Path: <aaron@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6B783A166B for <acme@ietfa.amsl.com>; Wed, 1 Sep 2021 12:00:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.55
X-Spam-Level:
X-Spam-Status: No, score=-2.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x8GBAxas1kdt for <acme@ietfa.amsl.com>; Wed, 1 Sep 2021 12:00:49 -0700 (PDT)
Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2D023A1636 for <acme@ietf.org>; Wed, 1 Sep 2021 12:00:48 -0700 (PDT)
Received: by mail-qk1-x734.google.com with SMTP id a66so589011qkc.1 for <acme@ietf.org>; Wed, 01 Sep 2021 12:00:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NbEfILMOgCfIEhUgGBaNdjACL+nxpZbhTsOq45xERVk=; b=MiXxPWmm+tA5f8j5uauJzqo1dpEt/JH5rCNLkNDiIJa/wGsvKMPXVxhEIFDyJ1KEDE 5C/MR/1IIvukla8cYZ/OzSCjieNmyjBxQHJ0YinjySGblu8EhpmicEg5gJ1tUuSAR1jo c+p86Ls5CuURPN2oGrbGK8+mOXaDg0Q+iEBgQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NbEfILMOgCfIEhUgGBaNdjACL+nxpZbhTsOq45xERVk=; b=Y+W1GrlLDwomwBMWcznAQRilBdvwHn5hyhMBTQX4V52co2q7Hya22Qqw1qvA0DeIk/ DzmK6IMj2SrjtPUqIgnFfs2D+MwwMjNRf3soL3ZyIMVazqw0dNHXtp2hkDkDCqj9qUi2 uLUUEkhfTfIgh+QOEcNobz3ot0fwKwTzYE5oSWkZk+ZKxr4q9TorREZ91ndlpDAxWgeM xsEZqDPSPW8WjjpEVaO5RRO6UfKGVtGgbycUoqnNlxF/SlPtVCGTLaVeZB3CgLYgTo/U BNGl3x5dq07WOoHpjdwEw2YtZs2BV56fugZTvjf6MzR/2Tucl4gZdET47EeVm+dz1QJU ISbg==
X-Gm-Message-State: AOAM531ly2kQO6fvBAoCnwbtMZRIFsnO13yotSSVQ27AVEWEzvcIinAA 2Nh++g+uoKCiFyFoLW02ec+Kl30zzaiIplXXFbe8dfhsLzjtbA==
X-Google-Smtp-Source: ABdhPJxgWDy6EiZ1VpYoNrL8FTndGcjSVrj8/M71DKiqkXBjJrz7ceGr+pypOILd40TJ0yuzjxyrVL0FSHzhdQJatdY=
X-Received: by 2002:a05:620a:4050:: with SMTP id i16mr1126905qko.90.1630522845512; Wed, 01 Sep 2021 12:00:45 -0700 (PDT)
MIME-Version: 1.0
References: <4fde2abe4b4d4bb2a261c2d657b8e356@nsa.gov>
In-Reply-To: <4fde2abe4b4d4bb2a261c2d657b8e356@nsa.gov>
From: Aaron Gable <aaron@letsencrypt.org>
Date: Wed, 01 Sep 2021 12:00:34 -0700
Message-ID: <CAEmnErcqqLnmC3U4vOKNgQYK4z5vJ5a4n+oSwRx9w4t6nmtKZg@mail.gmail.com>
To: "acme@ietf.org" <acme@ietf.org>
Cc: Deb Cooley <decoole@nsa.gov>
Content-Type: multipart/alternative; boundary="0000000000000159eb05caf3af3d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/mpNWyYAfDOHzQhIKtYpoBiasCig>
Subject: Re: [Acme] working group call for adoption
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2021 19:01:15 -0000
Substantive comments: Reading through the history of this document, I see that it started out as simply specifying server behavior to allow particular kinds of authorization re-use, and has now grown to an API extension that adds new fields to various request and response objects. My comments here may seem like circling back to square one, and for that I apologize. Fresh eyes, and all that. Overall, this document reads to me as "RFC 8555 didn't handle wildcards well; this is essentially how wildcard should have been specified in the first place". I certainly agree with that stance -- in hindsight, it should have been possible to do wildcard preauthorization (e.g. by setting a "wildcard" boolean flag in the preauthorization request). It is unfortunate that the wording of RFC 8555 seems to preclude simply extending the existing wildcard mechanism. That said, it is not clear to me that this draft enables truly novel behavior. I believe that the desired result -- authorization for a single parent domain, but issuance only for specific subdomains -- is possible using current mechanisms: 1) Create a NewOrder for *.example.com 2) Complete the necessary challenge to prove control over example.com 3) Don't bother finalizing the order 4) Create a NewOrder for foo.example.com 5) The ACME Server notices the wildcard authorization for example.com, attaches that to the new order, and sets the order's state to "valid" 6) Finalize the order, receive a certificate for foo.example.com Yes, this is messy. It's absolutely just using the newOrder flow as an end-run around the fact that you can't use newAuthz to generate wildcard authorizations. But I believe it is fully possible today, with no extensions or modifications to the ACME protocol. The only changes necessary to enable this flow would be in internal server policy, creating a willingness to re-use pre-existing wildcard authorizations with orders for specific subdomains. I freely admit that I am less familiar with the RFC process than many here, so the following proposal may be completely infeasible. But would it be possible for this draft to effectively become "let's extend newAuthz requests with a wildcard field"? Then the pre-authorization flow outlined in the current draft could be used rather than the hack "create but don't finalize an order" flow I outlined above. Or would the act of contradicting 8555's restrictions on the wildcard field be too big of an issue? Minor comments: * In Section 2 Terminology, it would be good to make clear that the CA/BF BRs are constantly changing, and that the definitions copied into this document are from a particular version (in the current draft, v1.7.1). * In the same section, several of these definitions have been updated since v1.7.1, including ADN now being defined in terms of FQDN rather than in terms of Domain Names. * Section 3, Step 4 references "the specified challenge", while none of the preceding steps identify where that challenge comes from (the authorization object). Obviously this is not a major comment, as this section is not normative, but it may cause some confusion for readers less familiar with ACME. * In Section 3, the references to various sections of RFC 8555 have inconsistent capitalization, and one ("Sections 8.3") is pluralized. * In the HTMLized version of the draft, those section references attempt to link to sections of this document, rather than linking to RFC 8555. * The reference to Section 7.1.4 spells out un-capitalized "fully qualified domain name", while the capitalized version of that term is defined in Section 2. * It's not clear to me that Section 4.1 is necessary at all: as the draft states in Section 7.1, different ACME servers (especially those operating outside of the CA/BF BRs) may have different server policies. The current restriction that DNS-01 MUST be used for wildcard validation comes from the BRs, not from 8555, so it seems inconsistent to mandate DNS-01 in this document. * If it is retained, then it seems better to define Section 4.1 in terms of negatives: challenges HTTP-01 and TLS-ALPN-01 MUST NOT be used. This leaves the door open for future challenge types which have equivalent security properties to DNS-01 to be used for this case. * Finally, in Appendix A, the CA/BF BRs no longer allow Agreed-Upon Change to Website validations for Wildcard Domain Names. Thanks, Aaron On Tue, Aug 31, 2021 at 8:37 AM Cooley, Dorothy E <decoole= 40nsa.gov@dmarc.ietf.org> wrote: > This is a working group call for adoption of: > draft-friel-acme-subdomains-05. We have had presentations of this work at > the past couple of IETF meetings (back to when we still met in person - > sigh). > > Please review the draft and post your comments to the list by Wednesday, 15 > September 2021. > > Thanks, > Deb and Yoav > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] working group call for adoption Cooley, Dorothy E
- Re: [Acme] working group call for adoption Russ Housley
- Re: [Acme] working group call for adoption Aaron Gable
- Re: [Acme] working group call for adoption Michael Richardson
- Re: [Acme] working group call for adoption Ryan Sleevi
- Re: [Acme] working group call for adoption Michael Richardson
- Re: [Acme] working group call for adoption Aaron Gable
- Re: [Acme] working group call for adoption Ryan Sleevi
- Re: [Acme] working group call for adoption Owen Friel (ofriel)
- Re: [Acme] working group call for adoption Aaron Gable
- Re: [Acme] working group call for adoption Owen Friel (ofriel)