Re: [Acme] acme subdomains open items
"Owen Friel (ofriel)" <ofriel@cisco.com> Fri, 04 December 2020 15:25 UTC
Return-Path: <ofriel@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1CDC3A0D87 for <acme@ietfa.amsl.com>; Fri, 4 Dec 2020 07:25:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.619
X-Spam-Level:
X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Im0Evlaf; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=SyxG23jc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hL3_bgNTtAau for <acme@ietfa.amsl.com>; Fri, 4 Dec 2020 07:25:09 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5BE83A0D92 for <acme@ietf.org>; Fri, 4 Dec 2020 07:25:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=14030; q=dns/txt; s=iport; t=1607095509; x=1608305109; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=gKkxctnf0B45ygpdRa/8EHaQ9bEWWTXPzJFzJKkawAw=; b=Im0EvlafHOZvPCr8SXHbOcwtuMy28xylqgjp5PlAQKey8TgpLDXNvgmi RUYY2lExH9dGrZ3e7Q1N9yYIpWHZdfLX6A1zJQMgqSAoY51AFRcPumX3G WQSMAGeL7oXcu5F5drYK0qZQAsmVFGIpb7X1NBwGPS8pou3hLfXo3HOwf Y=;
X-IPAS-Result: A0DrAQDeU8pfmJ1dJa1iHAEBAQEBAQcBARIBAQQEAQGCD4EjL1F8Wy8uCoQyg0gDjVoDlBeEcYJTA1QLAQEBDQEBGAEMCAIEAQGESgIXgX4CJTgTAgMBAQEDAgMBAQEBBQEBAQIBBgQUAQEBAQEBAQGGNgyFcgEBAQEDAQEQEQoTAQEsCwEPAgEIEQQBASgDAgICJQsUCQgBAQQOBQgagwQBgX5XAy4BDqA9AoE8iGl2gTKDBAEBBYEzAQMCAoN4GIIQAwaBOIJzg3aGVxuBQT+BEUOCVT6CXQEBAgGBRBorCYJhM4IsghGBFQRRAlkBCwsfRwUMGAKTP4cmnVgKgnKJGZI+oiWeepFdAoQuAgQCBAUCDgEBBYFtIYFZcBU7gmlQFwINjiEMDgmDToUUhUR0AjUCBgEJAQEDCXyOLwGBEAEB
IronPort-PHdr: 9a23:bJUDohe1+vHe3KMQWkBYhi2IlGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwaTDdfV5vZFk+fZurv4VHZG6pGE4zgOc51JAhkCj8he3wktG9WMBkCzKvn2Jzc7E8JPWB4AnTm7PEFZFdy4awjUpXu/vjAfHhTnOAV8Pfz4AMjZiMHkn+y38ofYNgNPgjf1aLhuLRKw+APWsMRegYZrJqsrjBXTpX4dcOVNzmQuLlWWzBs=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.78,393,1599523200"; d="scan'208,217";a="608607700"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 04 Dec 2020 15:25:08 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by rcdn-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id 0B4FP1iA023053 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 4 Dec 2020 15:25:07 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 4 Dec 2020 09:25:06 -0600
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 4 Dec 2020 09:25:06 -0600
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 4 Dec 2020 09:25:06 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YRJHvpGNLUMke8neGPwUe/q6vNCb1aAd0ebgD4QZW9Cw3KQrquxeVX5weEiu/xbFLV8a299rp03bOs7rEcB9iAn0VoPV1vFX8GRKVMck3Its8+rDwyRgVHO3CzfD6wsPzuhfdMg0+ENM3us79Je2DqqkD0eyOTwq4Ur8wPjbLwjj4QDdYzS0h0RsCS8qS75Guz3thrkn6zsA7OSG6EiL+nu4wv5GG04T+fnT167shtXDzxjUqS0k22XJxDQrZgr45JxcL8KCkUTdLGCyv921+cWpqkFK+bWOULrR/4zUF2TsM6SzNdTAM555qWhzjiciVNMjwRqzhzeL06rYNpf0CQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gKkxctnf0B45ygpdRa/8EHaQ9bEWWTXPzJFzJKkawAw=; b=Eh6RzG2cRpmBdiZL+7e98c65l45yEj29SqqN9UWrEHy8QOmDGpGY1bQIoopXu06vIqh8zchc2lk7hmiofjtf0FzrH5NNeDCbzg1cgckPWDjosati0dX913TcodhI4Y0MNwLJ/3SMp0mahSBr11Nq7bGlZV779yr+BOLtjyTKmOrBhJu9mZIzv6YEjuwr+CJFuwh/M+oQ4SqDUg3Cf1Ogp+iivjpBeLYMJ7GEMjR4CsP68vDSvTUGlNVgecDWzkp8qbIgj3ZYyJHdWgSFfLHK4vW1HZT4HZlt0f3AuY4qafdukbXGFFlDLSMWAdq6SLsx16tGGBI3tA+bB6rG7LUZvA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gKkxctnf0B45ygpdRa/8EHaQ9bEWWTXPzJFzJKkawAw=; b=SyxG23jcDBefWkc256dh8dsHIZQnXXo1nWx5CWZGeym0KW7rVfaaQtUsR9XL0N6QG+K3X5J620wzgtU2Iu3cUDriWVyDhPl/wMvxC+ZzRs/FP2896fxkwInL22hb8WqkEZA9u/ewn5me6zrqXaoJB4CTpHCIEamBuUr9GU9HFKk=
Received: from CY4PR11MB1685.namprd11.prod.outlook.com (2603:10b6:903:22::23) by CY4PR11MB1749.namprd11.prod.outlook.com (2603:10b6:903:11f::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.25; Fri, 4 Dec 2020 15:25:05 +0000
Received: from CY4PR11MB1685.namprd11.prod.outlook.com ([fe80::3863:4623:7227:8e4e]) by CY4PR11MB1685.namprd11.prod.outlook.com ([fe80::3863:4623:7227:8e4e%10]) with mapi id 15.20.3632.018; Fri, 4 Dec 2020 15:25:05 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Felipe Gasper <felipe@felipegasper.com>
CC: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] acme subdomains open items
Thread-Index: AdbKDfR7ixOYZe4pTaW5GF7P5t9BcQANDzwAAAO4wKA=
Date: Fri, 04 Dec 2020 15:25:05 +0000
Message-ID: <CY4PR11MB16851AD65ACF736CE6FD55A8DBF10@CY4PR11MB1685.namprd11.prod.outlook.com>
References: <CY4PR11MB168504F6D4CF495E8AE8F729DBF10@CY4PR11MB1685.namprd11.prod.outlook.com> <CA7603D9-DFDA-4FA6-A76C-D4E0E638A956@felipegasper.com>
In-Reply-To: <CA7603D9-DFDA-4FA6-A76C-D4E0E638A956@felipegasper.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: felipegasper.com; dkim=none (message not signed) header.d=none; felipegasper.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.39.121.84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f4a4f74b-fdd5-496e-c5df-08d89868c6ff
x-ms-traffictypediagnostic: CY4PR11MB1749:
x-microsoft-antispam-prvs: <CY4PR11MB1749259F9E818C3675A573C9DBF10@CY4PR11MB1749.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Sxcodi7E4lrLZTIjS/BaBNGSWvqYpCDwrsp9e4WSkC9rLPb9gwRMLpGck5aimAvGUlGvX8H3M0kF3mZIGurxwKYoTzdFkBr9V/uha3LiGs3yKCsZ21X7LbTMNX82ZbeJ8I6C4SXzP0LgOl4Hi1LkT7DTzd0xzcSkkTc3BGJZMw7XqDhzQ0YSdDyCAn4krWRyaXot9JqkgKGB4PedrdR+npqo5R+ddsubtbO1OtouF+3kzq5fIIG/HQjR6qCVRCAg7qluiNV92Dt/hZqSZrenwDfLD/c1MWymWfQ7aT1X3bkRxWvfCJ6tbwesKs5bmFgLmFt3TfhUuipYPow04M5hSyVsI1e2Eq0y7E2n2E192L53eIy7B5OcE+i3e+r0wr7NnccnC9W+vgk90YSWXUOBiw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR11MB1685.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(366004)(39860400002)(396003)(376002)(136003)(186003)(8936002)(53546011)(66476007)(76116006)(478600001)(4326008)(26005)(71200400001)(966005)(64756008)(83380400001)(66556008)(9686003)(66446008)(66946007)(6506007)(52536014)(316002)(166002)(7696005)(55016002)(33656002)(86362001)(8676002)(5660300002)(2906002)(6916009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 9Uh+2hfCDvRl3fTOVguIO4F3W3sKxquzC5dq2dx6jhCzl5iSUyzHmEC+CpggpYrIZ6tnkIBO4tnDgFg+Q5MCPrwI/j4G741+RUWDAdcLnMmiE79PK4zbj+Y27/JtSVDKUn3loDnxpCBcrziePnf1bdx5U5+C6wtPdo+1sM8MJxwqmVoAIUikmvwO1oK+NuVsCp8v6tAZnJpupXhlTUR5FAFqJeHXDZEuwtkQKLe7gxmTKBUIwMmO5Ut5aAP+/bhvt7X5vFhdHjknmQQqm5VrNlIPqbyDYOCDx7/msf1fkAq8663A9drBk2s9/cw5Rp6JzzB6eeJ/hWxLkfJxgEGjRCpuJv1doT7NunKf0JP40wOOhRipkSluZGo4L1sUFcBy/PlQA5CpoowjxQd/q8W9soGyUooy5n0Q6HLLgzKFuOB74wcaFVBLRW9CSkkYxYg3FDgLhohL0gQrXQwlpSZxXXHizbefHfRlLISTHRlxqsycIWsjNB7wJwj7NndzdozIPB9yio9Dqv75HAY6SE/YsKOqSKFUbcaL2oQCSkT3uAJFjPkEy6fyoC1NFgfbkj/s4cdCnU4ACbkKJmrhSfsyVV1XcVaAWsaNvunlW27egTYR3fSXERY9Yqbrp8O3O+1sEi9M11uhVw4A2ScNnmP72ASeCoMINfyFTwBlwKgM60i1x2zbQTwiEqZW9b0P1otZZNNRaGNKm4tbrGo0pDiVJIRlBE08rMZvpSZv2MvS2mQHclQWRsRm+TPcAj3tvTreq+JgkjRpwi8UinVNFCLuRDiXjtmJjx464WUedt+cJreb4mLacoeW9ZxYZzqt643eA/PDPw0dgJyNKqoG16C06Dw7IjFljVhsPIk5eKe4kLO5hx/FzEnfT2nIkJi9e2PzcBSWlyE5jWN6tuqpAqMHsumPWaNGO/LVJQHi8HmuG+66eUpFPLZ+x0HIIvf4P2f6aITA35DSY1wrrx08qetSehbSW4xMi1Ph4a1refCGYeY=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CY4PR11MB16851AD65ACF736CE6FD55A8DBF10CY4PR11MB1685namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY4PR11MB1685.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f4a4f74b-fdd5-496e-c5df-08d89868c6ff
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2020 15:25:05.4677 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xgrytT10nGqQfwxUMY6mCL8U/idqKgMB5XkWsR6lglaRl50+uO/Ac61hup8Nd4hnhZawNrRHTfFJhxz1jRZ+Gg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR11MB1749
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: rcdn-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/u0CYpF9wEy4EQnZM42lzPk0WdI4>
Subject: Re: [Acme] acme subdomains open items
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 15:25:14 -0000
That is what is currently documented – the server simply picks the one domain that it wants the client to fulfil the challenge against. That was presented as the current documented approach. And I also presented the open questions if we needed to build flexibility in client request and/or server response. There were no concrete opinions as far as I recall (waiting on the exact minutes) and Rich said to bring the qs to the mailer for further discussion. Cheers, Owen From: Acme <acme-bounces@ietf.org> On Behalf Of Felipe Gasper Sent: 04 December 2020 21:35 To: Owen Friel (ofriel) <ofriel=40cisco.com@dmarc.ietf.org> Cc: acme@ietf.org Subject: Re: [Acme] acme subdomains open items I wasn’t part of IETF 109 .. was it discussed simply to give CAs the ability to choose whether it tries authz against parent domains without the client’s requesting it? This is how our (non-ACME) Sectigo integration works currently, and it suits us well. -F On Dec 4, 2020, at 02:23, Owen Friel (ofriel) <ofriel=40cisco.com@dmarc.ietf.org<mailto:ofriel=40cisco.com@dmarc.ietf.org>> wrote: Hi all, As recommended by the chairs at IETF109, bring the two open items to the list for discussion. These were raised by Felipe and Ryan previously. 1: Does the client need a mechanism to indicate that they want to authorize a parent domain and not the explicit subdomain identifier? Or a mechanism to indicate that they are happy to authorize against a choice of identifiers? E.g. for foo1.foo2.bar.example.com, should the client be able to specify anywhere from 1 to 4 identifiers they are willing to fulfil challenges for? 2: Does the server need a mechanism to provide a choice of identifiers to the client and let the client chose which challenge to fulfil? E.g. for foo1.foo2.bar.example.com, should the server be able to specify anywhere from 1 to 4 identifiers that the client can pick from to fulfil? Both 1 and 2 require JSON object definition changes. Currently, the document only defines how a client can submit a newOrder / newAuthz for a subdomain, and the server can chose any one parent identifier that it requires a challenge fulfilment on Owen https://datatracker.ietf.org/meeting/109/materials/slides-109-acme-subdomains-01 https://tools.ietf.org/html/draft-friel-acme-subdomains-03#section-4 _______________________________________________ Acme mailing list Acme@ietf.org<mailto:Acme@ietf.org> https://www.ietf.org/mailman/listinfo/acme
- [Acme] acme subdomains open items Owen Friel (ofriel)
- Re: [Acme] acme subdomains open items Felipe Gasper
- Re: [Acme] acme subdomains open items Owen Friel (ofriel)
- Re: [Acme] acme subdomains open items Ryan Sleevi
- Re: [Acme] acme subdomains open items Owen Friel (ofriel)
- Re: [Acme] acme subdomains open items Ryan Sleevi
- Re: [Acme] acme subdomains open items Michael Richardson
- Re: [Acme] acme subdomains open items Ryan Sleevi
- Re: [Acme] acme subdomains open items Michael Richardson
- Re: [Acme] acme subdomains open items Ryan Sleevi
- Re: [Acme] acme subdomains open items Michael Richardson
- Re: [Acme] acme subdomains open items Ryan Sleevi
- Re: [Acme] acme subdomains open items Owen Friel (ofriel)
- Re: [Acme] acme subdomains open items Michael Richardson
- [Acme] should acme-subdomains support http-01 cha… Michael Richardson
- Re: [Acme] should acme-subdomains support http-01… Ryan Sleevi