Re: [Acme] orders, authorizations, and identifiers (oh my)

Felipe Gasper <felipe@felipegasper.com> Tue, 16 July 2019 14:11 UTC

Return-Path: <felipe@felipegasper.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5136712006A for <acme@ietfa.amsl.com>; Tue, 16 Jul 2019 07:11:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=felipegasper.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X_JSwy-CT1BA for <acme@ietfa.amsl.com>; Tue, 16 Jul 2019 07:11:27 -0700 (PDT)
Received: from web1.siteocity.com (web1.siteocity.com [67.227.147.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51C8B120033 for <acme@ietf.org>; Tue, 16 Jul 2019 07:11:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=felipegasper.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=mTE1EOreQNC2z/KoB7Dp//9Ezd3UpSCvABC0VCjrOls=; b=BmBfW5tJXYrNmr7CX9RyygSk+ 1Ha3Rd2cY4qNvRJvR01RBKxfNQCgn8gpLRctgXgezchIpY2Bp7cc4lngYrKDlt32VPE/+7OVrLO7O TsM5whdlStJR9qc7FUhx0axa72LNf4nUQyJs3eAnYRPPEERonY51khiQeuyP2WTXD9wvZTUcwGpB4 IkOLhk9YFiDFEhnyYZtHOhGM9kSe5qexdM4OpShfapK/WWUP7DMME0QWoPMJA5upQ5czNZYutwa// +ai9RdGzoaDqt0Ey26BtlCBqUqZLGRsxNGdEvmfSbgqYNQLidgMwCCxCfxHyHwVkDa07xkmmVqP9Z bYONJRdDw==;
Received: from [149.248.87.38] (port=61169 helo=[192.168.86.108]) by web1.siteocity.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from <felipe@felipegasper.com>) id 1hnOAu-00HB3d-Pv; Tue, 16 Jul 2019 09:11:25 -0500
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Felipe Gasper <felipe@felipegasper.com>
In-Reply-To: <CAKnbcLiQ5+byqfTtf8WA7QPYLufc6TFb97dAFH0Tdc5XzJusZQ@mail.gmail.com>
Date: Tue, 16 Jul 2019 10:11:24 -0400
Cc: IETF ACME <acme@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <BAF155C7-90CF-4FE5-BE24-35BD9FDFA900@felipegasper.com>
References: <21BBD7F5-8D80-4ACC-B51F-B362A39A5A93@felipegasper.com> <CAKnbcLiQ5+byqfTtf8WA7QPYLufc6TFb97dAFH0Tdc5XzJusZQ@mail.gmail.com>
To: Daniel McCarney <cpu@letsencrypt.org>
X-Mailer: Apple Mail (2.3445.104.11)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - web1.siteocity.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - felipegasper.com
X-Get-Message-Sender-Via: web1.siteocity.com: authenticated_id: fgasper/from_h
X-Authenticated-Sender: web1.siteocity.com: felipe@felipegasper.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/xISMswgCCmCsoOb8WzcIz8omsho>
Subject: Re: [Acme] orders, authorizations, and identifiers (oh my)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 14:11:29 -0000

> On Jul 16, 2019, at 9:28 AM, Daniel McCarney <cpu@letsencrypt.org> wrote:
> 
> So it would be reasonable for this order to contain a single authz … and would that authz’s identifier be just “example.com”, then? Thus that authz object would not reference “www”, even though it is that domain’s corresponding authz object? Or would a client be accountable for implementing a “best-match authz” lookup to determine which authz corresponds to a given domain?
> 
> Yes, I would expect the order's one authorization to have the identifier "example.com".
> 
> I believe the confusion here is when you say "even though it is that domain's corresponding authz object" and "Since the order requires successful authz for both domains".
> 
> For the first part, as I understand there is no guaranteed correspondence between any of the identifiers in the order request and the identifiers in the returned authorizations. That's what the sentence you quoted on p26 is meant to convey. The client shouldn't attempt to match authz's to requested identifiers at all, it should just look at the identifiers in the authorizations returned by the server and prove control of those identifiers with the challenges available.

Thank your for your response. I think I see what’s going on.

To flesh out a hypothetical a bit more:

order identifiers: example.com, www.example.com

authzs:
  0)
    - identifier: { type: person, value: Fred }
    - challenge: ask if it’s ok
  1)
    - identifier: { type: person, value: Jane }
    - challenge: ask if it’s ok
  2)
    - identifier: { type: person, value: Pat }
    - challenge: ask if it’s ok

So if we tell the human operator, “Jane & Pat gave the OK, but Fred said not”, then it’s left to server policy to determine whether that means a hypothetical order with just one or the other domain would pass all authzs?

-F