Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)

"Owen Friel (ofriel)" <ofriel@cisco.com> Tue, 21 January 2020 12:13 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D28E1200FB for <acme@ietfa.amsl.com>; Tue, 21 Jan 2020 04:13:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.498
X-Spam-Level:
X-Spam-Status: No, score=-14.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=ifC0YYI1; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=xTCcHLqg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 68yKEQtdUtUZ for <acme@ietfa.amsl.com>; Tue, 21 Jan 2020 04:13:50 -0800 (PST)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E9F21200FE for <acme@ietf.org>; Tue, 21 Jan 2020 04:13:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10194; q=dns/txt; s=iport; t=1579608830; x=1580818430; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=sGp2iCPr0dGGwlZ5ozEB66o3/zUwnKQMHuG/m6o0zX4=; b=ifC0YYI1zM7WRdhvYwvcgWQuaM9+K2mJiPAcR9uGlXFHlSbMhVlxvqyg jgNRdKOTbf8ejzi9zvWcfErmNrOwvfPLcFlq4cuqRSTFKTD6xpdi+Fnnt qnIcacaLMbQf4dfh4FwjcuNyHP2tvoRqiQI6S9hSCYS/VipB1REhcsyPS c=;
IronPort-PHdr: =?us-ascii?q?9a23=3As96gtxbaJotOzPGzH5gW5cr/LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el20Q6bRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn?= =?us-ascii?q?1NksAKh0olCc+BB1f8KavtYTY7EcBqX15+9Hb9Ok9QS47z?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DxAwDl6SZe/4MNJK1lGwEBAQEBAQE?= =?us-ascii?q?FAQEBEQEBAwMBAQGBe4FUUAVsWCAECyoKhAiDRgOLAE6CEZgOgUKBEANUCQE?= =?us-ascii?q?BAQwBARgLCgIBAYRAAheBeSQ4EwIDDQEBBAEBAQIBBQRthTcMhV4BAQEBAgE?= =?us-ascii?q?BARALBhEMAQEHJQwEBwQCAQgRAwEBAQECAh8EAwICAiULFAEICAIEARIIGoM?= =?us-ascii?q?FgkoDDiABAgyhegKBOYhhdYEygn8BAQWBMwKDUxiCDAmBDiqLdh4agUE/gRF?= =?us-ascii?q?Hgh4uPoIkQAEBAgGBLQESAQkYgw4ygiyNZoJvhgCYC3YKgjmHPYVDiUyCR3i?= =?us-ascii?q?HEpAmjl6BSYcYkiUCBAIEBQIOAQEFgWkiZ3FwFTuCbAlHGA2IATiDO4UUhT9?= =?us-ascii?q?0AgGBJoo2gSIBgQ8BAQ?=
X-IronPort-AV: E=Sophos;i="5.70,345,1574121600"; d="scan'208";a="709199752"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 21 Jan 2020 12:13:48 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 00LCDmXn018249 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 21 Jan 2020 12:13:48 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 21 Jan 2020 06:13:48 -0600
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 21 Jan 2020 07:13:45 -0500
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 21 Jan 2020 07:13:45 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hTHgB5i5J47SDH0YsxzPQgTX98yzBizIiB+wx3m9/8JHsfva8BVqwbCMT77qlSFl7N9LVP8zKOYlCq5iit6et9Ba8SAAid3QqFuVfppL/YE/fRtElk6sp0Ub+5AQwjgKR01LHNk2Q9QNKbK+D+jgtlQjxDN2kXizo6zv6CF+sUgQ7q2cPzd9MVisXFmj7DqJ5plGl3kiq7KQvwxobnfujFJdz0tBQatCwhDiCJPg9TEhrGIrWFIwMWsOeaKTSKdV7tICFpOCnrgq6j4AJBxwERG4RHsN86xNAMvzq0EzjUrp+EMNULWAa2S8VtoX7kAx+KvgGsveNOFi0K/zfJM/PA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sGp2iCPr0dGGwlZ5ozEB66o3/zUwnKQMHuG/m6o0zX4=; b=aJLpx0jTURigf+couXA/zpLUTGsAxhLXF+qXM765xQtdc1lRjNJTNdwfw46pGZW4U8qhNPGqPNz/wK106W5Mvvy3aYevcKmigPw/ylchEwDm09g64v5J2KFAEXFcgyDlpDLmO/wPH/Ne31CT+hqj59OUhAO2yOVtuZltmjXbiHf+TYp9h45B5eQKUT8ZqIkTm7qUwIFE3Et8+n7nu4gC8bCJloe6C7nyiKjGbAGDNgQyjzqTNYEF7U/Hr0LrpRs39RN1zhjg3eeD4805FLYh5+dl+0GBY2lNC0ERK1NKlE4Nn2CJbh/87roDaL3g5l5A5u/lba2cBWZfRjjxyxtKRQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sGp2iCPr0dGGwlZ5ozEB66o3/zUwnKQMHuG/m6o0zX4=; b=xTCcHLqgdqnHsRiv2cvd4rpn/pG9qEIvyibvBFeQ790i6fncvyIDq7lyqsC2/Ei/DOxMZjqxqKUNQwSIgEftpeOz+vFtJef2j5LHFoV2YDPmG8eTGB9SWBHsA6bPyffcpiIb/s6CfQL59dqKWiv5aWhk7on+Qjqbrjmdvcug520=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (20.179.150.76) by MN2PR11MB3693.namprd11.prod.outlook.com (20.178.252.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.20; Tue, 21 Jan 2020 12:13:43 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::d1b8:3e63:ead8:10c9]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::d1b8:3e63:ead8:10c9%7]) with mapi id 15.20.2644.024; Tue, 21 Jan 2020 12:13:43 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Felipe Gasper <felipe@felipegasper.com>, IETF ACME <acme@ietf.org>
Thread-Topic: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)
Thread-Index: AQHVz4eQxUsnt/Joaku87BnKLfeybafzfB0AgAGL5FA=
Date: Tue, 21 Jan 2020 12:13:42 +0000
Message-ID: <MN2PR11MB3901CDCC1358EEF12169EE1DDB0D0@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <MN2PR11MB3901512A25A395E684808FFBDB5F0@MN2PR11MB3901.namprd11.prod.outlook.com> <MN2PR11MB3901D33CB72236ECF7BA437ADB320@MN2PR11MB3901.namprd11.prod.outlook.com> <B5F428E5-D08E-4EE6-9807-B51395F58643@felipegasper.com>
In-Reply-To: <B5F428E5-D08E-4EE6-9807-B51395F58643@felipegasper.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [64.103.40.22]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 263f4abc-20aa-4acd-000e-08d79e6b5b8c
x-ms-traffictypediagnostic: MN2PR11MB3693:
x-microsoft-antispam-prvs: <MN2PR11MB3693A8F8E38D0EA871EE62CEDB0D0@MN2PR11MB3693.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0289B6431E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(376002)(396003)(136003)(366004)(39860400002)(189003)(199004)(52536014)(53546011)(6506007)(478600001)(26005)(55016002)(186003)(966005)(7696005)(9686003)(8936002)(2906002)(86362001)(81166006)(5660300002)(8676002)(110136005)(316002)(81156014)(66946007)(64756008)(71200400001)(33656002)(76116006)(15974865002)(66556008)(66476007)(66446008); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3693; H:MN2PR11MB3901.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: VQzvulPYxiBXXb1Haz1KIvAoU9BtpjATvkvRW7dhqH7UPHiAx0DVHLZmiLqCRx5ybvOt3lTHq8NWAXBbSOMpPjTOQDmrHI1FZJFqw3l0aEBF+gtXuBr4SZ/o82dGGHe1GPtU4U5fWDEgaXwEvCaT9lsGfHwV1TxkTwYySvIITSDJyZV/oUaxA+PVdU3Cjt/TxqTmUV+HIlEjwQ9PrH9p1yw7+NCSiI8eUf6d8iFctUwQRH0zZBJSwotlVtoIeBuCgfZRHdVf2GaSnRSCTH11h8Y6lDmv5pZs5P6PHJpRQtRR0R/Xo+mbMxCF9nV5rYWB0jnoJqfOlxE1LDXmIRHu238MYUx4CqkYIWOTORp4xzoba0lJbRr0y5uk7BHay+wneHFJ8HsP3+qgulG2GFkv7bxLfFyN+QHxxCqSWC8N3UbArjSmBT/GlbKX0ugcT1+trYzkNHhC3Hz36ezyuwIhgA2RPgpvCDoYivu9ibVuGqefXOBiwtV3UAuMAqQgD0u1uaUhEIzN18R5TrPKx7neAA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 263f4abc-20aa-4acd-000e-08d79e6b5b8c
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jan 2020 12:13:42.8996 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: iDNCcN/97Ska8N1MLVNpJ861UYm5IUuHCyXqUY8R+8OdoXX/Oud0ldQuMrpNH4fWdopz/+H4iukCtQgoYY/rbg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3693
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: alln-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/oE6DHitAjbjiK1ceAf1KeJOF2jI>
Subject: Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call for adoption draft-frield-acme-subdomains)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2020 12:13:55 -0000


> -----Original Message-----
> From: Acme <acme-bounces@ietf.org> On Behalf Of Felipe Gasper
> Sent: 20 January 2020 12:32
> To: IETF ACME <acme@ietf.org>
> Subject: Re: [Acme] ACME wildcards vs. subdomain authorizations (was RE: Call
> for adoption draft-frield-acme-subdomains)
> 
> Will this document eventually also describe subdomain authz via the standard
> ACME workflow?
> 
> Examples:
> 
> 1) Client wants a certificate for example.com & www.example.com. Ideally, if
> the client authzs example.com, then authz for www.example.com shouldn’t be
> necessary.
> 
> 2) Now client also wants a separate certificate for sub.example.com and
> www.sub.example.com. Since example.com was already authorized, this
> certificate order should not require any additional authz.
> 
> It seems like the above workflow should “just work”, but since it’s closely
> related to what your document describes I wonder if there’s benefit to
> mentioning it?
> 

[ofriel] That’s the exact workflow that the document is attempting to describe, so maybe it needs to be clarified.
The example section https://tools.ietf.org/html/draft-friel-acme-subdomains-01#section-4.2 (and I realise now looking at it that I messed up the numbered steps - they are all '1') outlines a client authorizing for "example.com" and getting certs for "sub0.example.com", "sub1.example.com" and "sub2.example.com". If its not clear, I can try reword in an update.

> Also, the linked document states:
> 
>    The call flow illustrates the DNS-based proof of ownership mechanism,
>    but the subdomain workflow is equally valid for HTTP based proof of
>    ownership.
> 
> Can’t I have HTTP access to a base domain’s website without having access to a
> subdomain’s, though? I thought that was the reason why ACME limits wildcard
> authz to DNS.

[ofriel] Daniel has clarified this already. Its a Lets Encrypt, not an ACME limitation.

> 
> 
> cheers,
> -Felipe Gasper
> 
> 
> > On Jan 20, 2020, at 6:48 AM, Owen Friel (ofriel) <ofriel@cisco.com> wrote:
> >
> > FYI, https://tools.ietf.org/html/draft-friel-acme-subdomains-01 documents
> the proposed new authorization object field "basedomain"
> >
> >
> >> -----Original Message-----
> >> From: Acme <acme-bounces@ietf.org> On Behalf Of Owen Friel (ofriel)
> >> Sent: 06 December 2019 15:41
> >> To: Salz, Rich <rsalz@akamai.com>om>; acme@ietf.org
> >> Subject: [Acme] ACME wildcards vs. subdomain authorizations (was RE:
> >> Call for adoption draft-frield-acme-subdomains)
> >>
> >> Any comments on this email on how to explicitly distinguish between
> >> wildcard and subdomain authorizations, which hopefully addresses ekr's mic
> comments.
> >>
> >>
> >>> -----Original Message-----
> >>> From: Acme <acme-bounces@ietf.org> On Behalf Of Owen Friel (ofriel)
> >>> Sent: 26 November 2019 22:51
> >>> To: Salz, Rich <rsalz@akamai.com>om>; acme@ietf.org
> >>> Subject: Re: [Acme] Call for adoption draft-frield-acme-subdomains
> >>>
> >>> DNS wildcards are mentioned in 3 sections in RFC8555 (in addition to
> >>> the IANA Considerations section):
> >>>
> >>> 1. https://tools.ietf.org/html/rfc8555#section-7.1.3 Order Objects:
> >>>
> >>>   Any identifier of type "dns" in a newOrder request MAY have a
> >>>   wildcard domain name as its value.  A wildcard domain name consists
> >>>   of a single asterisk character followed by a single full stop
> >>>   character ("*.") followed by a domain name as defined for use in the
> >>>   Subject Alternate Name Extension by [RFC5280].  An authorization
> >>>   returned by the server for a wildcard domain name identifier MUST NOT
> >>>   include the asterisk and full stop ("*.") prefix in the authorization
> >>>   identifier value.  The returned authorization MUST include the
> >>>   optional "wildcard" field, with a value of true.
> >>>
> >>> 2. https://tools.ietf.org/html/rfc8555#section-7.1.4 Authorization Objects:
> >>>
> >>>   If an
> >>>   authorization object conveys authorization for the base domain of a
> >>>   newOrder DNS identifier containing a wildcard domain name, then the
> >>>   optional authorizations "wildcard" field MUST be present with a value
> >>>   of true.
> >>>
> >>> 3. https://tools.ietf.org/html/rfc8555#section-7.4.1
> >>> Pre-authorization
> >>>
> >>>   Note that because the identifier in a pre-authorization request is
> >>>   the exact identifier to be included in the authorization object, pre-
> >>>   authorization cannot be used to authorize issuance of certificates
> >>>   containing wildcard domain names.
> >>>
> >>> For the subdomains use case, it looks as if it makes sense to define
> >>> a "parentdomain" boolean flag (or "basedomainname" or similar) to be
> >>> included in the authorization object for a domain that authorizes
> >>> subdomain certs. The relevant CAB guidelines are quoted in
> >>> https://tools.ietf.org/html/draft-friel-
> >>> acme-subdomains-00#appendix-A.
> >>>
> >>> The authorization object would then explicitly indicate that this is
> >>> a base domain authorization and thus subdomain certs may be issued
> >>> off this. This is conceptually similar to the current "wildcard"
> >>> flag which indicates that a wildcard cert may be issued off the
> >>> identifier in the object, and would definitively differentiate
> >>> wildcard vs. base domain vs. explicit domain authorizations.
> >>>
> >>> Item #3 from section 7.4.1 Pre-authorization is already called out
> >>> as a substantive change from RFC8555: i.e. the identifier in the
> >>> authorization object may be different from the identifier in the
> >>> newAuthz
> >> object.
> >>>
> >>>> -----Original Message-----
> >>>> From: Acme <acme-bounces@ietf.org> On Behalf Of Salz, Rich
> >>>> Sent: 26 November 2019 21:53
> >>>> To: acme@ietf.org
> >>>> Subject: Re: [Acme] Call for adoption draft-frield-acme-subdomains
> >>>>
> >>>> WRONG.  My mistake.
> >>>>
> >>>> Please discuss this, especially the subdomains/wildcard issues.
> >>>> This is *NOT* a call for adoption.  We will take this up in
> >>>> Vancouver, IETF
> >> 107.
> >>>>
> >>>> From: Rich Salz <mailto:rsalz@akamai.com>
> >>>> Date: Tuesday, November 26, 2019 at 4:51 PM
> >>>> To: "mailto:acme@ietf.org" <mailto:acme@ietf.org>
> >>>> Subject: [Acme] Call for adoption draft-frield-acme-subdomains
> >>>>
> >>>> This email starts a ten-day call for adoption. There was consensus
> >>>> in the room at IETF 106 to adopt this as a working group document.
> >>>> If you disagree with that, or have any other strong feelings,
> >>>> please post to the list before the end of next week.
> >>>> Also discussed was the need for some additional clarity around
> >>>> subdomains and the existing wildcard challenges.
> >>>>
> >>>> Thank you.
> >>>>
> >>> _______________________________________________
> >>> Acme mailing list
> >>> Acme@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/acme
> >> _______________________________________________
> >> Acme mailing list
> >> Acme@ietf.org
> >> https://www.ietf.org/mailman/listinfo/acme
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme