> > So it would be reasonable for this order to contain a single authz … and > would that authz’s identifier be just “example.com”, then? Thus that > authz object would not reference “www”, even though it is that domain’s > corresponding authz object? Or would a client be accountable for > implementing a “best-match authz” lookup to determine which authz > corresponds to a given domain?
Yes, I would expect the order's one authorization to have the identifier " example.com". I believe the confusion here is when you say "even though it is that domain's corresponding authz object" and "Since the order requires successful authz for both domains". For the first part, as I understand there is no guaranteed correspondence between any of the identifiers in the order request and the identifiers in the returned authorizations. That's what the sentence you quoted on p26 is meant to convey. The client shouldn't attempt to match authz's to requested identifiers at all, it should just look at the identifiers in the authorizations returned by the server and prove control of those identifiers with the challenges available. For the second part, the server decides what identifiers the client needs to prove control of in order to authorize the overall order. It may not be both identifiers in the requested order. It happens that Let's Encrypt return orders with an authorization matching each requested identifier and requires all to be validated but the returned authorizations and associated challenges are entirely up to server policy. Hope that helps, On Mon, Jul 15, 2019 at 5:56 PM Felipe Gasper <fel...@felipegasper.com> wrote: > Hi all, > > The new RFC (8555) states (on p26), for order objects, that a 1:1 > relationship may not exist between an order’s identifiers and its authzs. > > Given that each authz object contains exactly 1 identifier, how > would this play out for CAs that accept authz against a base domain as > substitutive for authz on a subdomain? > > Consider an order to the hypothetical “AwesomeSSL” CA for > example.com and www.example.com. AwesomeSSL considers authz against “ > example.com” to implicitly demonstrate control over “www.example.com”. > Since the order requires successful authz for both domains, and (for > AwesomeSSL) authz for “example.com” suffices for both domains, having a > separate authz against “www” is superfluous. So it would be reasonable for > this order to contain a single authz … and would that authz’s identifier be > just “example.com”, then? Thus that authz object would not reference > “www”, even though it is that domain’s corresponding authz object? Or would > a client be accountable for implementing a “best-match authz” lookup to > determine which authz corresponds to a given domain? > > Thank you! > > -Felipe Gasper > Mississauga, Ontario > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme