[Acme] orders, authorizations, and identifiers (oh my)

Felipe Gasper <felipe@felipegasper.com> Mon, 15 July 2019 21:56 UTC

Return-Path: <felipe@felipegasper.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E0F112013E for <acme@ietfa.amsl.com>; Mon, 15 Jul 2019 14:56:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=felipegasper.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8FVdeb2I1FZi for <acme@ietfa.amsl.com>; Mon, 15 Jul 2019 14:56:51 -0700 (PDT)
Received: from web1.siteocity.com (web1.siteocity.com [67.227.147.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7BF1120132 for <acme@ietf.org>; Mon, 15 Jul 2019 14:56:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=felipegasper.com; s=default; h=To:Date:Message-Id:Subject:Mime-Version: Content-Transfer-Encoding:Content-Type:From:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wwPnpvp/YqMhaRHVsFpbUCf2+FpPLYWzMEK1FsvCciY=; b=tpRYiH5cIlet2g6a/tvNz1u8dV mFmScRB8vkeQJDUZdBAEqhSppH67s5OVDOTBhFyae2JgWPXpkABQVyf2HYhx7juciyjzN8Yu1t6An iQh/jjV+nt8emZFQvt2itTgp+IhV127IY/I8uDK5H3pc2mJ7ZKNTfNIU7mmQRZbbcQ1S7GFH2RHLm BOVDw3h4NpieSEqwOvozJpHGvIi4GtRxniD7XgkSnUMOjnrfrkSA7/fkx1ZQQWWZDC3kjzBb3oyuA h1wYy9nMdJ27uOXJHQ92lDIlHmjf5RtkV0ZJkaU4YLIaQTiVHwhvaNAo0MM0Tcg8opWsKAEWz7RUB SArXJXqw==;
Received: from [149.248.87.38] (port=57284 helo=[192.168.86.108]) by web1.siteocity.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from <felipe@felipegasper.com>) id 1hn8xk-00DfPX-Qc for acme@ietf.org; Mon, 15 Jul 2019 16:56:49 -0500
From: Felipe Gasper <felipe@felipegasper.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-Id: <21BBD7F5-8D80-4ACC-B51F-B362A39A5A93@felipegasper.com>
Date: Mon, 15 Jul 2019 17:56:48 -0400
To: IETF ACME <acme@ietf.org>
X-Mailer: Apple Mail (2.3445.104.11)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - web1.siteocity.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - felipegasper.com
X-Get-Message-Sender-Via: web1.siteocity.com: authenticated_id: fgasper/from_h
X-Authenticated-Sender: web1.siteocity.com: felipe@felipegasper.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/ntdDsx54SJDcMmci4L5oeI8GxVI>
Subject: [Acme] orders, authorizations, and identifiers (oh my)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 21:56:53 -0000

Hi all,

	The new RFC (8555) states (on p26), for order objects, that a 1:1 relationship may not exist between an order’s identifiers and its authzs.

	Given that each authz object contains exactly 1 identifier, how would this play out for CAs that accept authz against a base domain as substitutive for authz on a subdomain?

	Consider an order to the hypothetical “AwesomeSSL” CA for example.com and www.example.com. AwesomeSSL considers authz against “example.com” to implicitly demonstrate control over “www.example.com”. Since the order requires successful authz for both domains, and (for AwesomeSSL) authz for “example.com” suffices for both domains, having a separate authz against “www” is superfluous. So it would be reasonable for this order to contain a single authz … and would that authz’s identifier be just “example.com”, then? Thus that authz object would not reference “www”, even though it is that domain’s corresponding authz object? Or would a client be accountable for implementing a “best-match authz” lookup to determine which authz corresponds to a given domain?

	Thank you!

-Felipe Gasper
Mississauga, Ontario