On Sun, Sep 12, 2021 at 11:24 PM Owen Friel (ofriel) <ofr...@cisco.com> wrote:
> > > Consider an RA that wants to get device certs for thousands of devices > e.g. foo.type-a-sensors.example.org and bar.type-b-sensors.example.org, > The RA would likely do a preAuthz for the domains it owns (e.g. > example.org) rather than wait for a device to send an enrol request for a > specific identifier (e.g. foo.type-a-sensors.example.org) and the RA then > send a newOrder containing “identifiers”: [ {“value”: “ > foo.type-a-sensors.example.org”, “domainNamespace”:“example.org”} ]. > The point of much of my original message is that this flow is already possible today (modulo server policy). Instead of doing a preAuthz for example.org, the subscriber would do a newOrder for *.example.org. The rest of the process would be identical. Again, I'm new here and so I'm not sure what criteria we look for when considering new standards. Maybe a standard that provides a clear, intuitive alternative to something already possible but kinda hacky is a good thing; maybe it isn't. That's where my knowledge ends. I'm just trying to make sure we understand that this behavior is technically possible today. On Sun, Sep 12, 2021 at 11:24 PM Owen Friel (ofriel) <ofr...@cisco.com> wrote: > > CA/B guidelines states the following in “3.2.2.4 Validation of Domain > Authorization or Control” for multiple methods (including DNS)... > I'm not totally sure which part of my message this is responding to. Just in case this was responding to my very last bullet point: yes, the BRs allow multiple methods (including DNS validation) to be used for subdomains. But they no longer allow Agreed-Upon Change To Website to be used for subdomains, which means Appendix A needs to be updated. On Sun, Sep 12, 2021 at 11:24 PM Owen Friel (ofriel) <ofr...@cisco.com> wrote: > > An RFC8555 wildcard authorization for example.org only allows the *. > example.org cert to be issued. > I don't think this is true. The relevant pieces of languages are, as far as I can tell: Section 7.1.4: "This field MUST be present and true for authorizations created as a result of a newOrder request containing a DNS identifier with a value that was a wildcard domain name. For other authorizations, it MUST be absent." "Wildcard domain names (with "*" as the first label) MUST NOT be included in authorization objects. If an authorization object conveys authorization for the base domain of a newOrder DNS identifier containing a wildcard domain name, then the optional authorizations "wildcard" field MUST be present with a value of true." So an Authorization object can only have the "wildcard" field set if it was created as the result of a newOrder request for a wildcard domain name, and the "wildcard" field must be set if the Authorization object conveys authorization for the base domain of a wildcard domain name. This says nothing about whether or not that Authorization object also conveys authorization for other things (such as all subdomains of that base domain), and says nothing about whether or not that Authorization object can be re-used for orders other than the one that created it. Thanks, Aaron
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme