Re: [Acme] Call for adoption draft-frield-acme-subdomains

"Owen Friel (ofriel)" <ofriel@cisco.com> Tue, 26 November 2019 22:51 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 454C0120B02 for <acme@ietfa.amsl.com>; Tue, 26 Nov 2019 14:51:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=ddBfiilC; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=rREB5eUv
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rTa9pVWd0dse for <acme@ietfa.amsl.com>; Tue, 26 Nov 2019 14:50:59 -0800 (PST)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CBE9120B01 for <acme@ietf.org>; Tue, 26 Nov 2019 14:50:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4676; q=dns/txt; s=iport; t=1574808659; x=1576018259; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=fubTNLEzVXLda+bqrDm6CfSZGJJVHkxEGOcBZ5Ttbfo=; b=ddBfiilC9bEz0WHHSbEzpbr1ttEiljF9HxozGtd0Ux+0GqKIaVQt93TM ZTYBXg7//UWt6zsf1pHizs8T6ojBOh8qsY8+wwCZ9kTcn4DmMjeIwcYTr hYJbyUt0Ixy5bTeR3sM2/w4NZyLTp918nb+CeiUT/QvJdRPV1Oc0eWcvF w=;
IronPort-PHdr: =?us-ascii?q?9a23=3A55piVBKrBJJ7y70z/tmcpTVXNCE6p7X5OBIU4Z?= =?us-ascii?q?M7irVIN76u5InmIFeCtKd2lFGcW4Ld5roEkOfQv636EU04qZea+DFnEtRXUg?= =?us-ascii?q?Mdz8AfngguGsmAXEr1Nv/nawQxHd9JUxlu+HToeUU=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BWAQAQrN1d/5hdJa1kGgEBAQEBAQE?= =?us-ascii?q?BAQMBAQEBEQEBAQICAQEBAYF+gUtQBWxYIAQLKgqEIYNGA4pxToIRmASBQoE?= =?us-ascii?q?QA1QJAQEBDAEBIwoCAQGEQAIXgV8kOBMCAw0BAQQBAQECAQUEbYU3DIVSAQE?= =?us-ascii?q?BAQMSCwYRDAEBOAsEAgEIEQMBAQEDAiMDAgICMBQBCAgCBAESCBqDAYJGAy4?= =?us-ascii?q?BAgynFQKBOIhgdYEygn4BAQWFDBiCFwMGgQ4ojBYagUA/gRFHgkw+gmQBAQI?= =?us-ascii?q?BgS0BEgEJGIMOMoIskBeFbpgzCoIshx2FJ4ktgj+Hao90jkiIPJFWAgQCBAU?= =?us-ascii?q?CDgEBBYFpImdxcBU7gmxQERSGSINzhRSFP3QBAYEmjBiBIgGBDgEB?=
X-IronPort-AV: E=Sophos;i="5.69,247,1571702400"; d="scan'208";a="668766360"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Nov 2019 22:50:48 +0000
Received: from XCH-ALN-015.cisco.com (xch-aln-015.cisco.com [173.36.7.25]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id xAQMomJT014546 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 26 Nov 2019 22:50:48 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-ALN-015.cisco.com (173.36.7.25) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 26 Nov 2019 16:50:48 -0600
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 26 Nov 2019 17:50:47 -0500
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 26 Nov 2019 16:50:47 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kiApwtAIGqh0LqgpIbR6UYslcoqpxG7JBsdFTDlumPYoBx7CS/Oh31wjSuNvFtzzToVhOpeb/clEwTUGRpEGrJ1LrnQh5VySSfWH29MCnQXQ1YUlGKmhONreKOw52HdqppoZdYMVNRA1I0T5yrrfOIg0VolPDF95dlBuOCLtEf+TlfWGzoS48gBex6elqClQXe0NGDQLVxiyi7Cjf7i6KYSYOt4SPKECD3KpElFPAYlAsiR+YS2pngEW8UhZjy3CYYdduuAfjXrAt3zIoUONoKaB+Wy+K35QV0eNsGjKlpU8K74kzO7OHxE+TgWI+rlBYYyA1R9pdG7jQnbmze2hYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fubTNLEzVXLda+bqrDm6CfSZGJJVHkxEGOcBZ5Ttbfo=; b=JI+T7AF1M29D0uh743/MAbW5Re6hUymidADK4uhO4ljM56Dt+nkTQDXyncXIEuiTlN0WTluqdKUZNaxtcrAJDscYlwQXAPo9fm18eVwDNGrtaR1znb219mNS3WB0bGe+W6W6Lc+X8HNbvplVfKxo3ExJeEfhL26Lyf6jwX7SjcJHYpyX5maf+tbcKDT6MIJTxPSj+qnsemecX14qfbs16bJxgGHI6emaM3+03t5eD8z+JzrmNzux8NjN/S8ZQAY+bnIQCU2rqRSsr6+zefO8CwN3kGGbZuNEuLmfupl6oZIV1nwI3HouM6ohEunAVGgbgG1d7aIkLX45x9zzwmNjqw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fubTNLEzVXLda+bqrDm6CfSZGJJVHkxEGOcBZ5Ttbfo=; b=rREB5eUvxI6+dXXTTOLAY0aJd/sc1QRYV7D5zjoLhW7ko534INddqt+/eBXvhTsK509/Ogsl07RAZReaPSW8vBiF9w/HFd9dmIyCWgl5G3d0gTRdZsjxlampD3sPjURgwsLiQVDDbF6m8YrQn/S+gIKuU3QQkyTmyOBvlNU8mfQ=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (20.179.150.76) by MN2PR11MB3760.namprd11.prod.outlook.com (20.178.254.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.19; Tue, 26 Nov 2019 22:50:46 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153%7]) with mapi id 15.20.2474.019; Tue, 26 Nov 2019 22:50:46 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] Call for adoption draft-frield-acme-subdomains
Thread-Index: AQHVpKPZ0GBOyIfka0a/EUunN9kmxaeeDbqQ
Date: Tue, 26 Nov 2019 22:50:45 +0000
Message-ID: <MN2PR11MB3901BAA9434257C7FDEA5BCFDB450@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <5A328634-1813-418C-9D50-758360B2CEB9@akamai.com>
In-Reply-To: <5A328634-1813-418C-9D50-758360B2CEB9@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [173.38.220.39]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dc3b07a5-d59f-45e9-0833-08d772c31310
x-ms-traffictypediagnostic: MN2PR11MB3760:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <MN2PR11MB376067D1089F8C103FF13C3BDB450@MN2PR11MB3760.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0233768B38
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(396003)(39860400002)(136003)(376002)(366004)(189003)(199004)(13464003)(52536014)(14444005)(256004)(110136005)(2501003)(5660300002)(81166006)(33656002)(81156014)(102836004)(6506007)(53546011)(26005)(11346002)(99286004)(186003)(446003)(7696005)(74316002)(305945005)(966005)(66446008)(14454004)(478600001)(71200400001)(86362001)(229853002)(6306002)(8676002)(55016002)(9686003)(6246003)(6436002)(2906002)(8936002)(76176011)(316002)(7736002)(3846002)(6116002)(66066001)(71190400001)(66556008)(76116006)(66946007)(66476007)(25786009)(64756008); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3760; H:MN2PR11MB3901.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qXaM7Ez73rc1tUx5ZP9gIwS7288ZmcJvOgT3tNUm/JW7uCSoOnaBQ1a19MZaqr5h97xu4WK7Cdn4FVemuEXPDv/O8ZzkTQhlo3QWVmBh4H0rgTOGWhwyy32RbD2focHzYfkDxSw6aVPZmvtbIaVAHph5WdE3/4IPRyLckrOQwtoy3IeinEHwG+9H0XbzFiQcEt/Lj3leI9yOg0mqSWYIBUTww7ru3Oo7n4287CpE569f58Q7a/O4QjiB4tFuO6FrGu8ZeoeQeZrnryM59FYD88y6O1SIhtl6pmfXzOc3Qx7h4fAsb2mXY5ox2c4CJjbECmHR09zSV2tGbjcB/aHFEipxPVVnmNy8dkDJsQCu6XqjHE7bbTK23YxB8BTyGCdyeHVWsqm7QVTokfEg3EW3MK9wCJZ47dEFlP+i+Z3zURmPm2qmDhbK+FJwzXbmhgEDdHmvswaq3gn8nwFU01Vu3QG3EyKPotuDMMwamVTK7a8=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: dc3b07a5-d59f-45e9-0833-08d772c31310
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Nov 2019 22:50:45.8662 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9nnf0IpNyYBDcxnEFtoi1Bs4gsJPf+KF7jQa6oHpVEcdHSkOKmEp5rnUPB4jkcbaWSm22AeaCbqUCOnhuzLgvw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3760
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.25, xch-aln-015.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/v7_CguuzlDWqDC_w7obyBr6woPg>
Subject: Re: [Acme] Call for adoption draft-frield-acme-subdomains
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 22:51:01 -0000

DNS wildcards are mentioned in 3 sections in RFC8555 (in addition to the IANA Considerations section):

1. https://tools.ietf.org/html/rfc8555#section-7.1.3 Order Objects:

   Any identifier of type "dns" in a newOrder request MAY have a
   wildcard domain name as its value.  A wildcard domain name consists
   of a single asterisk character followed by a single full stop
   character ("*.") followed by a domain name as defined for use in the
   Subject Alternate Name Extension by [RFC5280].  An authorization
   returned by the server for a wildcard domain name identifier MUST NOT
   include the asterisk and full stop ("*.") prefix in the authorization
   identifier value.  The returned authorization MUST include the
   optional "wildcard" field, with a value of true.

2. https://tools.ietf.org/html/rfc8555#section-7.1.4 Authorization Objects:
 
   If an
   authorization object conveys authorization for the base domain of a
   newOrder DNS identifier containing a wildcard domain name, then the
   optional authorizations "wildcard" field MUST be present with a value
   of true.	  

3. https://tools.ietf.org/html/rfc8555#section-7.4.1 Pre-authorization

   Note that because the identifier in a pre-authorization request is
   the exact identifier to be included in the authorization object, pre-
   authorization cannot be used to authorize issuance of certificates
   containing wildcard domain names.

For the subdomains use case, it looks as if it makes sense to define a "parentdomain" boolean flag (or "basedomainname" or similar) to be included in the authorization object for a domain that authorizes subdomain certs. The relevant CAB guidelines are quoted in https://tools.ietf.org/html/draft-friel-acme-subdomains-00#appendix-A.

The authorization object would then explicitly indicate that this is a base domain authorization and thus subdomain certs may be issued off this. This is conceptually similar to the current "wildcard" flag which indicates that a wildcard cert may be issued off the identifier in the object, and would definitively differentiate wildcard vs. base domain vs. explicit domain authorizations.

Item #3 from section 7.4.1 Pre-authorization is already called out as a substantive change from RFC8555: i.e. the identifier in the authorization object may be different from the identifier in the newAuthz object.

> -----Original Message-----
> From: Acme <acme-bounces@ietf.org> On Behalf Of Salz, Rich
> Sent: 26 November 2019 21:53
> To: acme@ietf.org
> Subject: Re: [Acme] Call for adoption draft-frield-acme-subdomains
> 
> WRONG.  My mistake.
> 
> Please discuss this, especially the subdomains/wildcard issues.  This is *NOT* a
> call for adoption.  We will take this up in Vancouver, IETF 107.
> 
> From: Rich Salz <mailto:rsalz@akamai.com>
> Date: Tuesday, November 26, 2019 at 4:51 PM
> To: "mailto:acme@ietf.org" <mailto:acme@ietf.org>
> Subject: [Acme] Call for adoption draft-frield-acme-subdomains
> 
> This email starts a ten-day call for adoption. There was consensus in the room at
> IETF 106 to adopt this as a working group document. If you disagree with that,
> or have any other strong feelings, please post to the list before the end of next
> week.
> Also discussed was the need for some additional clarity around subdomains and
> the existing wildcard challenges.
> 
> Thank you.
>