On Sun, Sep 12, 2021 at 11:24 PM Owen Friel (ofriel) <ofr...@cisco.com>
wrote:
>
>
> Consider an RA that wants to get device certs for thousands of devices
> e.g. foo.type-a-sensors.example.org and bar.type-b-sensors.example.org,
> The RA would likely do a preAuthz for the domains it owns (e.g.
> example.org) rather than wait for a device to send an enrol request for a
> specific identifier (e.g. foo.type-a-sensors.example.org) and the RA then
> send a newOrder containing “identifiers”: [ {“value”: “
> foo.type-a-sensors.example.org”, “domainNamespace”:“example.org”} ].
>
The point of much of my original message is that this flow is already
possible today (modulo server policy). Instead of doing a preAuthz for
example.org, the subscriber would do a newOrder for *.example.org. The rest
of the process would be identical.
Again, I'm new here and so I'm not sure what criteria we look for when
considering new standards. Maybe a standard that provides a clear,
intuitive alternative to something already possible but kinda hacky is a
good thing; maybe it isn't. That's where my knowledge ends. I'm just trying
to make sure we understand that this behavior is technically possible today.
On Sun, Sep 12, 2021 at 11:24 PM Owen Friel (ofriel) <ofr...@cisco.com>
wrote:
>
> CA/B guidelines states the following in “3.2.2.4 Validation of Domain
> Authorization or Control” for multiple methods (including DNS)...
>
I'm not totally sure which part of my message this is responding to. Just
in case this was responding to my very last bullet point: yes, the BRs
allow multiple methods (including DNS validation) to be used for
subdomains. But they no longer allow Agreed-Upon Change To Website to be
used for subdomains, which means Appendix A needs to be updated.
On Sun, Sep 12, 2021 at 11:24 PM Owen Friel (ofriel) <ofr...@cisco.com>
wrote:
>
>
An RFC8555 wildcard authorization for example.org only allows the *.
> example.org cert to be issued.
>
I don't think this is true. The relevant pieces of languages are, as far as
I can tell:
Section 7.1.4:
"This field MUST be present and true for authorizations created as a result
of a newOrder request containing a DNS identifier with a value that was a
wildcard domain name. For other authorizations, it MUST be absent."
"Wildcard domain names (with "*" as the first label) MUST NOT be included
in authorization objects. If an authorization object conveys authorization
for the base domain of a newOrder DNS identifier containing a wildcard
domain name, then the optional authorizations "wildcard" field MUST be
present with a value of true."
So an Authorization object can only have the "wildcard" field set if it was
created as the result of a newOrder request for a wildcard domain name, and
the "wildcard" field must be set if the Authorization object conveys
authorization for the base domain of a wildcard domain name.
This says nothing about whether or not that Authorization object also
conveys authorization for other things (such as all subdomains of that base
domain), and says nothing about whether or not that Authorization object
can be re-used for orders other than the one that created it.
Thanks,
Aaron
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
