Re: [Acme] Assisted-DNS challenge type

Tim Hollebeek <tim.hollebeek@digicert.com> Tue, 23 January 2018 16:37 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5503127136 for <acme@ietfa.amsl.com>; Tue, 23 Jan 2018 08:37:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7UGVNzWAIX0o for <acme@ietfa.amsl.com>; Tue, 23 Jan 2018 08:37:49 -0800 (PST)
Received: from mail1.bemta12.messagelabs.com (mail1.bemta12.messagelabs.com [216.82.251.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A344B12711B for <acme@ietf.org>; Tue, 23 Jan 2018 08:37:49 -0800 (PST)
Received: from [216.82.249.212] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-13.bemta-12.messagelabs.com id D8/89-30884-DD4676A5; Tue, 23 Jan 2018 16:37:49 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WSa0hTYRjH955zth3F5XFqexpGNCjMcqkjqOw ifbIo6PIhUKOOetyG27Rzpi0qFAfmGg4rKxvEiqQPVlhpUJZZy7A0lMxCB5mmaWllti6Yle3s nV2+/d7//7m+PDSpfCpT05zNyvEW1qSRhVNd2vO6RF+uPiOp/iSxsm5028rTPVOyNCL9w6dRa Xpt7RSxlciQGi3ZBbY9UkND2bS80LXe1tI+QZWid2uOoHCaYiYIcPruUuJDyVQT4J72SvGjFY Gj2RlwwmgZkwTPm9sIkWOYjeCZ6pGLHM0shyr7BxLrSTDyuIfCnAJNTTNBnWIWwfFKd5AVTBa 8P3JTKrKSWQ0npl8H64QxqWAfaAvqiJkL39ovBXuRjAp8w54gAxMDg086ZJhj4e3Qr1B8Fpzx e0P6Auj29ckxz4dujxNhbiTA38Fj1sL1o+9D+hZ4V1omFxcGxkHAx6ttoeQEeOgtDwXlw2h/p 3RWr2h1EzjBTkJVs4vERhx4PbcobNyRguNzDYXXzIXqutnxDoBzuleGv04NL3ocqAotcf+zqT uQTzIeBM8rXMgd/LIoeHR6mMJBCXDi8liIl8KFc+Mk5lSo+X5PhnkhVDsH5ZhXwPiDSXQW0XU oXuD4Yo5P1K3QZvNGvcFqZo2mxOTkFK2ZEwRWz5nYbEGbU2C+hgKnVSKRoBtopCXTi+bRhCZW kR+pz1DOyS7I3W9gBcNuvsjECV4UR9MaUMQETlAZxXN6zpZnNAXuc9YGOkITo1CJtkIoZM2CU Y+tdqSjG0+NlpN075vxclJJWQosnFqlaMwJhDJiqKHI8qfQ7K13o/nqaAWSSCTKiEKONxut// tjSEUjTbRiRKwSYbRY//QbC4xCBEbpPciJo1jZv5a6FK3zF23epckqq/s5Q5yP129p6NLuiHN VFF8dr/f7MsN68y+uPTxwaMOMbr3FtygyN/XHXMOyzZdfh3eEp3XGP6nJ0lVODhbHlixxfen6 Gp82mHplo307/2rOvp1FfQvWDB2/Xfgs0rHNqTw5MXLfXr/YTe3N2yfvXPXSIjvm37WT7N+ko QQDm5xA8gL7G9qa4CfmAwAA
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-11.tower-219.messagelabs.com!1516725465!205329945!1
X-Originating-IP: [207.46.163.51]
X-StarScan-Received:
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 16477 invoked from network); 23 Jan 2018 16:37:45 -0000
Received: from mail-cys01nam02lp0051.outbound.protection.outlook.com (HELO NAM02-CY1-obe.outbound.protection.outlook.com) (207.46.163.51) by server-11.tower-219.messagelabs.com with AES256-SHA256 encrypted SMTP; 23 Jan 2018 16:37:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ACYUD/RZqG6iRhpYLWLTaD0HOzTVomGfRXvx/xh60Us=; b=bblHqL00vlwc651cTcLycpXYcy+eYvrZgOTZlpJbgd+YktyModQHNLa5bwMIhl1cyaSR4zK4coT3JldF5e8ZymfWD5SebQrw5MvlzFTtUQGEPpYtMPyZDCYeuLuJ/Ys08xAEe85QwpfXFxEVTOOHIXFbNaI9k7sZRLrExf1b5Hw=
Received: from DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) by DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.428.17; Tue, 23 Jan 2018 16:37:44 +0000
Received: from DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) by DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) with mapi id 15.20.0428.023; Tue, 23 Jan 2018 16:37:44 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] Assisted-DNS challenge type
Thread-Index: AQHTk+bnhp5n4/MXBkSFk/b1xrWsE6OBp29w
Date: Tue, 23 Jan 2018 16:37:44 +0000
Message-ID: <DM5PR14MB1289780FE7165120F0EEE14083E30@DM5PR14MB1289.namprd14.prod.outlook.com>
References: <bbaea6b0-65dc-9dff-0a23-e55e6eebb580@eff.org>
In-Reply-To: <bbaea6b0-65dc-9dff-0a23-e55e6eebb580@eff.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [67.137.52.8]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR14MB1289; 7:8ReBEtgnRfx8RhIsCBiiKKybDGbIqlXdSytaH+LJk7W9z9BOLmejWwl17UAg7aCqWVpovbsNKh1/QwSY3Xkaso5TNvboIKD91bTKgP5qj85hiBCQfhFzsnrznFPSlZJJsZpXX9SVYz0RuPeUWES4T4g/pev6zCltl1Za5t3Y0M58OWIBuFcQfbfAcSkh3zelLwuvGMGojeW7EKQbnVVM8/wPeButjf/kEn57bXy7qCajz1+7iR6wvFSFCQJ2+cIQ
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 994b9db0-7256-4013-93e8-08d5627fa11a
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(7021125)(4534165)(7022125)(4603075)(4627221)(201702281549075)(7048125)(7026125)(7024125)(7027125)(7023125)(5600026)(4604075)(3008032)(2017052603307)(7153060)(49563074)(7193020); SRVR:DM5PR14MB1289;
x-ms-traffictypediagnostic: DM5PR14MB1289:
x-microsoft-antispam-prvs: <DM5PR14MB128943866C63BBEDFC95785A83E30@DM5PR14MB1289.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040501)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(93001095)(3231023)(2400081)(944501161)(6041288)(20161123558120)(20161123560045)(20161123562045)(2016111802025)(20161123564045)(6072148)(6043046)(201708071742011); SRVR:DM5PR14MB1289; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:DM5PR14MB1289;
x-forefront-prvs: 05610E64EE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7966004)(396003)(39860400002)(39380400002)(346002)(366004)(376002)(199004)(189003)(33656002)(76176011)(2501003)(86362001)(97736004)(6506007)(9686003)(7696005)(316002)(508600001)(6116002)(3846002)(99936001)(99286004)(66066001)(2906002)(3660700001)(14454004)(55016002)(59450400001)(106356001)(229853002)(305945005)(74316002)(77096007)(105586002)(26005)(5660300001)(2900100001)(6246003)(25786009)(53936002)(102836004)(110136005)(6436002)(3280700002)(8936002)(2950100002)(8676002)(7736002)(68736007)(81166006)(81156014); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR14MB1289; H:DM5PR14MB1289.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: hiB/bu0y9GJvP2gcWl9ntoRvhjGaX7M++C99WBVsApbeQAHrLNb+Rx5ljo0kur7OrBf9J7BLKTNuA9gm0zlQtg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_06D0_01D3942D.D0D84570"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 994b9db0-7256-4013-93e8-08d5627fa11a
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jan 2018 16:37:44.4004 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR14MB1289
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/wF2OsE9-Sx9Ve5e4sZwYxDNbFNw>
Subject: Re: [Acme] Assisted-DNS challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2018 16:37:52 -0000

> This challenge has the big advantage that subscribers only need to do a one-
> time CNAME setup, and renewals can be reliably automated without requiring
> that renewing systems have permission to update DNS. In effect, the CNAME
> record would act like a long-term delegation permitting the CA to issue
> continuously for the base domain.

Yes, not having to validate domains saves customers a lot of time and effort!
See BR validation methods #1 and #5 for more information!! 😊

Your proposed method defeats one of the goals of the BR domain control 
validation requirements, which is to demonstrate control at time of validation, 
not just as some previous time in the past.  That's why the existing, approved
validation methods require random numbers to guarantee the validation is
fresh and not based on some previous validation.

If control at some time in the past is sufficient, you can just re-use the previous 
validation, which is allowed in some circumstances (see the BRs).

-Tim