[Acme] expiry in dns-account-01
Jacob Hoffman-Andrews <jsha@letsencrypt.org> Wed, 20 March 2024 00:23 UTC
Return-Path: <jsha@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12096C151082 for <acme@ietfa.amsl.com>; Tue, 19 Mar 2024 17:23:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q0OetMNiUyrw for <acme@ietfa.amsl.com>; Tue, 19 Mar 2024 17:23:14 -0700 (PDT)
Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71F97C151075 for <acme@ietf.org>; Tue, 19 Mar 2024 17:23:14 -0700 (PDT)
Received: by mail-yb1-xb29.google.com with SMTP id 3f1490d57ef6-dc6d9a8815fso5959459276.3 for <acme@ietf.org>; Tue, 19 Mar 2024 17:23:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; t=1710894193; x=1711498993; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=OG5+7SW6PHWrcgosFyM459bFGSJ0ZbBw2nZN8ZCTiH4=; b=UrhN9ampOOEruuh1BzeMkSKAN0ABM7DDMocPr43iurMGglZ/q0Q/EJq7bxqvznG06O Cmd3IU6u55+IxGifilUTJv784/YcwU21IQBcKlpU36yqT+1aDSjQoSMBKPWZV3mB1Q9y RsfJsnerLv7G9Rb5t+zWBSEigtIms/VqIokWM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710894193; x=1711498993; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=OG5+7SW6PHWrcgosFyM459bFGSJ0ZbBw2nZN8ZCTiH4=; b=iCBv6ZArqXb3o6ouTZ9pIMVf0E+HvEYMzUutCAfq1ftjuNuiJGdpRvCuRO6AtZWYzO rpNuQ0095VBch03t4lPTi4ogAovr9437K6oqaic3jm1McSHx5vXKZXbLROdC0vY3hSSy 5UR9I6/vcrtbcYiJqWtIYUu0/ipEV1gGxL3fOFAcDDsjan84G15nWSu7nx0upMmOwzx4 5Ntnth/rrGWO8LqlTjXiChFYRJsY8UsZpOAse3tiCLCPCz8Ijts39JouaeTSj94qmxwb vwLVRyVisIzTzTDQCS0qX0J3BkzjtQ7MPVckbmjxrnai23jXVJRkN6MjGvHsBIvw3YEt lSNw==
X-Gm-Message-State: AOJu0YyJ+ajvSvuhhQH4JkDWZ/mnQiGKvWSWaUTj6iukw8Es/38W7rZX D+f1zEFZ8wwfeCtDGrwZu9UE4n/zF7jxbeWd/sVphGVkkXqmyIoxJaR/jufHFRok+/YMuMKwNHr pQ/4k7U4eNVHmGRs01ARzpzawJqX7/C/h0fzXv2A+nnTABSCIcDc=
X-Google-Smtp-Source: AGHT+IFYe1MZ5KLhf5dP8kZ//DHbC5iWntKruQKiV8bDZA0j6Svw/5/IQg3N4KkkudNe8SFL/OyVPluG0Q78ejlvH8M=
X-Received: by 2002:a25:a009:0:b0:dcf:ad31:57c9 with SMTP id x9-20020a25a009000000b00dcfad3157c9mr2987171ybh.0.1710894193419; Tue, 19 Mar 2024 17:23:13 -0700 (PDT)
MIME-Version: 1.0
From: Jacob Hoffman-Andrews <jsha@letsencrypt.org>
Date: Tue, 19 Mar 2024 17:22:47 -0700
Message-ID: <CAN3x4QkwmVDYt9xsoBaEfH2WQg5jr8J_73GB2JYVM3+z3TLjwQ@mail.gmail.com>
To: acme@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a5d00506140c9870"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/vNXMSqnwJHQjmqb-lmGGNCbW4xo>
Subject: [Acme] expiry in dns-account-01
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 00:23:18 -0000
The latest dns-account-01 draft ( https://datatracker.ietf.org/doc/html/draft-ietf-acme-scoped-dns-challenges-00) incorporates recommendations from the dnsop domain control verification draft ( https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-domain-verification-techniques-03 ). The dnsop draft says: > Providers MUST provide clear instructions on when a validation record can be removed. These instructions SHOULD be encoded in the RDATA via comma-separated ASCII key-value pairs [RFC1464], using the key "expiry" to hold a time after which it is safe to remove the validation record. But the ACME draft doesn't specify that. I think it should! The specified expiry should be the expiry of the pending authorization object. After that point, the challenge will never be validated and the record can be removed. This brings up a separate question: Should subscribers be able to specify what maximum lifetime they want for the validated authorization? For instance some subscribers might want to never reuse authorizations. Currently they can achieve that by deactivating authorizations after issuance, but it could be more convenient to do it preemptively. One option would be to encode it in the TXT record. But if we specify such a thing I think we'd want it to work for any challenge type, probably by making it part of the challenge POST. So, out of scope for this draft, I think.
- [Acme] expiry in dns-account-01 Jacob Hoffman-Andrews
- Re: [Acme] expiry in dns-account-01 James Kasten