IETF Logo Mail Archive

Re: [Acme] DNS-ACCOUNT-01 Updates

Seo Suchan <tjtncks@gmail.com> Sat, 13 May 2023 09:24 UTC

Return-Path: <tjtncks@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A98CC16950A for <acme@ietfa.amsl.com>; Sat, 13 May 2023 02:24:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.593
X-Spam-Level:
X-Spam-Status: No, score=-0.593 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jS9FhykuDcSQ for <acme@ietfa.amsl.com>; Sat, 13 May 2023 02:24:37 -0700 (PDT)
Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A40CC13AE43 for <acme@ietf.org>; Sat, 13 May 2023 02:24:37 -0700 (PDT)
Received: by mail-pl1-x633.google.com with SMTP id d9443c01a7336-1aaec6f189cso74477035ad.3 for <acme@ietf.org>; Sat, 13 May 2023 02:24:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683969874; x=1686561874; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=ooQqZu+pSs54ZSKOyIiLMkt68CAL1zw4Us0yBac2eMg=; b=BBy3/pn00b7bekSHkjx7cJo5yUNd9ir0ZqO0I1C5q47Vit125w7ROj2inKfLbT/B4Z YRGhcAtOwzoWePBkWbKR3zHeKY6FsFMiiaO2Mi9xN92YX8Wz343I0/d/NWKnuIpGToDA SBEJH20oYVY4K4wwx7oSOn5BQ398yW31DF6cUJ1Vwi0tu9vdN73+hB9ZMQpmUMyR2m9x 5myVK862OkMpQ1DGGpP4ZhwzHXr59ZSJF7ZpHsQDqU1i1fHKs65wuvczkYz3UGejkCz+ g5dz1qYn4HDTMqQ5gLbu829JfHYYyWXYuThzMwarvAX9P6Kd60w6VlaRXo0lcu/jglR2 yd6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683969874; x=1686561874; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=ooQqZu+pSs54ZSKOyIiLMkt68CAL1zw4Us0yBac2eMg=; b=USDnR6+YMr90JHzm0S+i1w2gzlMHOc7Yi6F8VwwWJ1QmoEVeh0UtZQGcX3wFIRPBHg JG+3FHwr/QsHONOBQtrvvlUajL95be5OfNDUFTGVqKI7N2936EByHXBj4buROI9GYYYH X4CJ4Is77E1YX9Xf8vmQBKvr72Rz8sBGbwQNGv+Nw4jV2+piq9K7R7BOWR4wTvjcU27Y M5+ovxhwDqXoQ21DITX6npT4vt0ocG5rHfjGWiAgIdwsZ0XZcRh4pXt4ZoiRDeDFGS0a nYmpqz6dfGQq/dFa3obASQb1mXHBuY44NXuuzM9q1JOSXZN+jKSjYSXZFXUGSQpPKuWl W2FQ==
X-Gm-Message-State: AC+VfDwSzlIwB0msuoq2ERRb9z4cEuKhgb8YWKb8BwFe4e7vLmg86UEu ktG2rCzGB/sCWh4KCI9VUtidGymhHuk=
X-Google-Smtp-Source: ACHHUZ6FUncYYuhwcIFRIXd6LK+TGk7yWR9WhvWPCS4sRhjISyVJx6UaOa3aSyKp1eJc7+82mvjd2A==
X-Received: by 2002:a17:902:9346:b0:1aa:ef83:34be with SMTP id g6-20020a170902934600b001aaef8334bemr25533415plp.47.1683969874046; Sat, 13 May 2023 02:24:34 -0700 (PDT)
Received: from [192.168.200.103] ([119.64.89.133]) by smtp.gmail.com with ESMTPSA id jd12-20020a170903260c00b001ac937171e4sm9339077plb.254.2023.05.13.02.24.33 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 13 May 2023 02:24:33 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------ne29yp4ElIqDAZ70Db6cfeJp"
Message-ID: <ebd953b1-ce32-02ac-f133-86586c6278e6@gmail.com>
Date: Sat, 13 May 2023 18:24:31 +0900
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
Content-Language: en-US
To: acme@ietf.org
References: <22209596-7C4D-42F4-9415-98F106047C33@gmail.com> <CAEmnErcRPMn9SiBNHtS0-oVEXVJCR+c9eXavGXMU6NLgoakwsA@mail.gmail.com> <CAMEWqGsXZGmP2VXcEemxM9T+2+zAppY2orP6wXyW+1xCeHuviA@mail.gmail.com>
From: Seo Suchan <tjtncks@gmail.com>
In-Reply-To: <CAMEWqGsXZGmP2VXcEemxM9T+2+zAppY2orP6wXyW+1xCeHuviA@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/wNhqs7507OQe2FKOf0PYPLw1PdY>
Subject: Re: [Acme] DNS-ACCOUNT-01 Updates
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 May 2023 09:24:41 -0000

I kinda think TLS-SNI-02 was made as version 2 of TLS-SNI-01, but it 
doesn't matter as they are no longer a thing

2023-05-13 오전 3:43에 Q Misell 이(가) 쓴 글:
>
> I'm also in favour of calling it DNS-02. I highly doubt there will be 
> many (if any) versions of challenges beyond version 1. It makes more 
> sense to me to read DNS-02 and DNS challenge type 2, not a upgraded 
> edition of version 1.
> ------------------------------------------------------------------------
>
> Any statements contained in this email are personal to the author and 
> are not necessarily the statements of the company unless specifically 
> stated. AS207960 Cyfyngedig, having a registered office at 13 
> Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca 
> Digital, is a company registered in Wales under № 12417574 
> <https://find-and-update.company-information.service.gov.uk/company/12417574>. 
> ICO register №: ZA782876 
> <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: 
> GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South 
> Korean VAT №: 522-80-03080. Glauca Digital and the Glauca logo are 
> registered trademarks in the UK, under № UK00003718474 and № 
> UK00003718468, respectively.
>
>
>
> On Fri, 12 May 2023 at 17:58, Aaron Gable 
> <aaron=40letsencrypt.org@dmarc.ietf.org> wrote:
>
>     For what it's worth, I'm in favor of calling it DNS-02. Despite
>     your totally correct descriptions of the disadvantages of this new
>     method, I *do* still view it as a generally-improved version of
>     DNS-01. It's obviously backwards-incompatible, hence the new major
>     version number, but it is generally an improvement that creates
>     more flexibility for clients at little cost. I also find the name
>     "DNS-ACCOUNT-01" to be slightly unfortunate, as no "dns accounts"
>     are involved -- it makes sense once you understand the method, but
>     the name gives little to no hint to how the method works on its own.
>
>     Aaron
>
>     On Thu, May 11, 2023 at 4:52 PM Antonios Chariton
>     <daknob.mac@gmail.com> wrote:
>
>         Hello everyone,
>
>         I’m sending this e-mail to the list to update you all on
>         DNS-ACCOUNT-01 and the news we have since the presentation in
>         IETF 116.
>
>         You can all help by reviewing the text[0], these updates, and
>         sharing your opinion in this thread here!
>
>         The CA/B Forum 2023-05-04 meeting discussed DNS-ACCOUNT-01 and
>         three things came out of it, as it is evident in the minutes[1]:
>
>         1) This method is compatible with the CA/B Forum Baseline
>         Requirements that are binding for all WebPKI CAs, specifically
>         section 3.2.2.4.7 for agreed-upon change to a DNS record. This
>         means that CAs can start using this standard immediately, and
>         there are no other dependencies. The design seemed to be good
>         in its current version. Obviously, quick changes to their
>         CP/CPS may be required, but this is not blocking and unilateral.
>
>         2) There is a documented need for various usecases where this
>         challenge would help, from several stakeholders, and evidence
>         that it could be beneficial to the ecosystem and its
>         development. It allows ACME to be used in even more situations
>         where more traditional and non-automatable methods had to be
>         relied upon.
>
>         3) There was a suggestion to rename this challenge to DNS-02.
>         This is something that we had rejected back when we created
>         this challenge, however it has been suggested several times,
>         so we are happy to reconsider this. It may be the right choice.
>
>         There’s no published precedence of what -02 means right now,
>         so it’s unclear whether it is a second option, or a next
>         generation / improved challenge. We never planned to replace
>         DNS-01 with our challenge, we always intended to add more
>         options, and cover more use cases. Here are some technical
>         “disadvantages” of this work vs DNS-01:
>
>         1) ACME Clients need to calculate the correct label. Although
>         we provide the algorithm, a bash script, and test vectors,
>         anecdotal data from ISRG suggest that some clients still mess
>         things up (implementing RFC 8555), so this is another value
>         where this may happen. An easy solution here would be to share
>         the expected label with the client, but we decided against
>         this to protect against cross-protocol attacks, and also to
>         protect the client against an ACME server giving it arbitrary
>         DNS records to change. If clients calculate this
>         independently, they don’t need to trust the server.
>
>         2) The label is longer, so some very very long domain names
>         may no longer work. Since this is 17 characters longer than
>         DNS-01’s label, anything approaching the various limits (of
>         DNS, etc.) may break. For example, if in DNS-01 you end up
>         with a 236-253 character domain name to check for the TXT
>         record, then DNS-ACCOUNT-01 will go over the limit and won’t
>         work. We don’t consider this to be a major problem. We’re also
>         not aware of many domain names in the 236-253 character range.
>
>         3) If an ACME client for whatever reason loses access to the
>         ACME account, this “set and forget” DNS label now has to
>         change. Things would break here with other standards too (if
>         you need an EAB token, you can’t create a new account anyways,
>         if you limit the ACME account via CAA records, you can’t
>         issue, etc.) but DNS-ACCOUNT-01 would just add to the things
>         that would have to be taken into account. We don’t currently
>         consider this a huge issue, but if you think it could be, let
>         us know.
>
>         As you can see, these 3 tradeoffs above had to be made, to
>         ensure we can cover more use cases. We think these are good
>         tradeoffs for an additional ACME challenge, but perhaps they
>         are not for an “upgraded” one.
>
>         What do you think about the naming? Do you perceive “DNS-02”
>         as an improved version, or as a second option? We are happy to
>         rename this to DNS-02 and we have no plans of breaking any
>         ACME server or client already using DNS-01 :)
>
>         Thanks for reading through this, and I am happy to hear your
>         thoughts and get reviews on the draft, so we can move further
>         with this work.
>
>         Antonios Chariton
>         Independent Contributor ;)
>
>         - - -
>         Links:
>
>         [0] :
>         https://archive.cabforum.org/pipermail/validation/2023-May/001892.html
>         [1] :
>         https://daknob.github.io/draft-todo-chariton-dns-account-01/
>         _______________________________________________
>         Acme mailing list
>         Acme@ietf.org
>         https://www.ietf.org/mailman/listinfo/acme
>
>     _______________________________________________
>     Acme mailing list
>     Acme@ietf.org
>     https://www.ietf.org/mailman/listinfo/acme
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email