IETF Logo Mail Archive

Re: [Acme] draft-todo-chariton-dns-account-01

Melinda Shore <melinda.shore@gmail.com> Mon, 02 January 2023 00:49 UTC

Return-Path: <melinda.shore@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D88E4C14CEE4 for <acme@ietfa.amsl.com>; Sun, 1 Jan 2023 16:49:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3gDRtS7AU_gp for <acme@ietfa.amsl.com>; Sun, 1 Jan 2023 16:49:59 -0800 (PST)
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 688E2C14CEE3 for <acme@ietf.org>; Sun, 1 Jan 2023 16:49:59 -0800 (PST)
Received: by mail-pl1-x62f.google.com with SMTP id m4so28082283pls.4 for <acme@ietf.org>; Sun, 01 Jan 2023 16:49:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=GCCh9TR5PG45MEWs9GmzHQTsH4mnNcl3fzoc9dYOcyY=; b=iKW/XryzuCXXd5+riS54Ysc6vsIAGeav9baI2xu6cR0uXqdzzewPtetnutvMdqYLbh lgGuvhDixayq7rJZzEwUUovANEQF24spXGKZEfhDYykpQOtmBUCIO2tq48JqkJ1gTxTP 7jWVpm1mWSCK5jd3O8GW8HjUsMX0HRGFQrvlPvGnwzfZHC6bAV89znB6xEt6KISzo7FE VF5J+gxa9ece+Jlk+V/brFXopwftkReOeVYkWQCncozt5iBDVAbC6UHZ1+6c+AxnuT6T 6MG0d+aUArnxToL/kO4ckyBGKVdFzA0wQGOQ491wqaVmV/Rghk/e4aGaFfhxP33pC0fo dl+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=GCCh9TR5PG45MEWs9GmzHQTsH4mnNcl3fzoc9dYOcyY=; b=6CmUmv+p21sNbLMWANAtWhVpP/0JkhHqdU+Glhusp8cW+0FAjGoDA1taDlVz9esyWR 0kSfxxwbUXUtJ+AJVGIiC9Gufhe+wycZwaASSsHBS3lyXRRLLtJf6U0hcJbMLSD+vhXs 2gZNWKOoFVs+2WIk5utSbq5DfbnkYzUd49rUXJZUpNKnw763FWtsOHTNlNl/893qQUVN Ki/nO4Dk5JVDlqvHQD2K/Hvf0EOOJ04pDI1icxLjGHaLYw6Iu1kr6Ld0qm49hXCnJGLL t22+i+j3UH5rOvpbAgAJBEWNoyRSVhr27eMavcRF0O2cmcuI3EUOaRro415/W4/GQ/b6 ZtrQ==
X-Gm-Message-State: AFqh2krWJAl71QQv+5ewiX3z6+VDnOVQVi0xhPaGIurZpC8Z1/TxpZqB Th14dxETJi6bt4HVd1G1hOxn+uRM76U=
X-Google-Smtp-Source: AMrXdXv3usI71EfuuVkBeYeLydL0P7FDFF8eRcGHoSUjPWjtFVy6WDoqmmmfuc7wtXMCSK2tiQJpJA==
X-Received: by 2002:a17:90b:f82:b0:219:bd15:8c4c with SMTP id ft2-20020a17090b0f8200b00219bd158c4cmr48868481pjb.34.1672620598442; Sun, 01 Jan 2023 16:49:58 -0800 (PST)
Received: from [192.168.1.111] (63-140-67-140.dynamic.lte.acsalaska.net. [63.140.67.140]) by smtp.gmail.com with ESMTPSA id g14-20020a63e60e000000b00476d1385265sm16000522pgh.25.2023.01.01.16.49.57 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 01 Jan 2023 16:49:57 -0800 (PST)
Message-ID: <dd8c3400-660b-15d3-ab49-095d09471267@gmail.com>
Date: Sun, 01 Jan 2023 15:49:55 -0900
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
Content-Language: en-US
To: Michael Richardson <mcr+ietf@sandelman.ca>, IETF ACME <acme@ietf.org>
References: <CAGgd1OeEGp0uLYCSQJdtXNWz+2540+br7s68evbwbMNt=awFvw@mail.gmail.com> <CAGgd1Of1YfzzqsUwLacOtjcyZrRArB8DJ=OQJy2KAkdE9ekoWg@mail.gmail.com> <27913.1672615339@localhost>
From: Melinda Shore <melinda.shore@gmail.com>
In-Reply-To: <27913.1672615339@localhost>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/vCiAf_SwgHY94WCVj23tG-B6I14>
Subject: Re: [Acme] draft-todo-chariton-dns-account-01
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jan 2023 00:49:59 -0000

On 1/1/23 2:22 PM, Michael Richardson wrote:
> I'm not entirely sure why I would want to delegate the domain validation to
> more than one entity.  That seems like a source of insecurity.

Right.  But the use case motivating this, to clorify, multi-CDN
deployments.  I agree that the document could be clearer about
this - the underlying problem can be a little difficult to wrap
your head around.

This isn't the only way to solve the problem (currently empty
server responses could be leveraged, for example, or some appalling
DNS goo) but this proposal is straightforward and reasonable, and
there is a need in CDN-land for something that allows multiple
domain control validators.  So, I'd like to see something published
and I think this document is a good place to start.

Melinda

-- 
Melinda Shore
melinda.shore@gmail.com

Software longa, hardware brevis

v2.23.0 | Report a Bug | By Email