> RFC8555 already addresses wildcards, no? Yes, wildcards are suppoted in RFC8555. Meanwhile, there are no mentions of wildcards in draft-ietf-acme-subdomains-06. It seems that wildcard certificates are not suitable for the subdomain scenario. However, I think the wildcard certificate is another candidate for subdomain manegement. Thus, I am wondering the reason why no wildcard certificates are mentioned in the draft. Are there some reasons for wildcard certificates cannot be used in subdomain scenarios?
Regards, Lei YAN 发件人: Acme <acme-boun...@ietf.org> 代表 Deb Cooley 发送时间: 2023年2月4日 21:32 收件人: Yanlei(Ray) <ray.yanlei=40huawei....@dmarc.ietf.org>; acme@ietf.org 抄送: Dorothy E Cooley <deco...@radium.ncsc.mil> 主题: Re: [Acme] Comment on draft-ietf-acme-subdomains-06: How about using wildcard certificates for subdomains? RFC8555 already addresses wildcards, no? Deb Cooley ACME chair deco...@radium.ncsc.mil<mailto:deco...@radium.ncsc.mil> On Tue, Jan 31, 2023 at 7:11 AM Yanlei(Ray) <ray.yanlei=40huawei....@dmarc.ietf.org<mailto:40huawei....@dmarc.ietf.org>> wrote: Hi, I'm new to this group and sorry for the late comment. I just saw this draft and have an idea after reading. I'd like to know from you experts whether it's reasonable. The illustration in Section 5 uses Subject Alternative Name (SAN) to list every subdomain name in a certificate. I wonder if this mechanism can be replaced by using a wildcard certificate? Compared with using the Subject Alternative Name (SAN), a wildcard certificate can simplify the complexity and reduce the costs for securing a number of subdomains. As the sub-domain name changes, the client with SAN has to re-apply its certificate, but the client with wildcard certificate does not need to change its certificate. I think wildcard certificates have been commonly used in subdomains management. As illustrated in Section 5: +--------+ +------+ +-----+ | Client | | ACME | | DNS | +---+----+ +---+--+ +--+--+ | | | STEP 1: Pre-Authorization of ancestor domain | . | | | . | | | . | | STEP 2: Place order for sub1.example.org<http://sub1.example.org> | . | | | . | | | . | | STEP 3: Place order for sub2.example.org<http://sub2.example.org>. | . | | | . | | | . | | If there are multiple subdomains, the client has to place an order multiple times for every subdomain. If using a wildcard certificate, the client only needs to place an order once for the wildcard certificate. Then the client can configure its subdomain servers with the same wildcard certificate. +--------+ +------+ +-----+ | Client | | ACME | | DNS | +---+----+ +---+--+ +--+--+ | | | STEP 1: Pre-Authorization of ancestor domain | . | | | . | | | . | | STEP 2: Place order for *.example.org<http://example.org> | | | | This is just a preliminary idea, and please correct me if I'm thinking wrongly. Regards, Lei YAN _______________________________________________ Acme mailing list Acme@ietf.org<mailto:Acme@ietf.org> https://www.ietf.org/mailman/listinfo/acme
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
