On Mon, Mar 18, 2024 at 04:03:07PM -0700, Jacob Hoffman-Andrews wrote: > Thanks, authors, for the updates in > https://datatracker.ietf.org/doc/html/draft-ietf-acme-scoped-dns-challenges-00 > . > > Adding a "scope" (host, wildcard, or subdomain) to the DNS record name is > great. Reading the draft, I think it doesn't specify how the scope for a > given challenge is decided and communicated. Three ideas: > > 1. Server picks, and tells the client. > > The challenge object contains a "scope" field. The client verifies that the > indicated scope is one of "host", "wildcard", or "subdomain", and is less > than the maximal scope the client is willing to validate for. For instance, > a client might be configured to only accept "host" scope. > > 2. Client picks. > > When the client POSTs to the challenge URL, instead of sending the empty > object {}, it sends {"scope": "host"}, {"scope": "wildcard"}, or {"scope": > "domain"}. The server verifies that the request scope is sufficient for the > authorization object (i.e. "wildcard" or above for an authorization object > that can be used to issue for a wildcard name), then performs the > validation. > > 3. Server offers options via challenge types > > We explode out the challenge types from two to six: > > dns-host-02 > dns-wildcard-02 > dns-domain-02 > dns-account-host-01 > dns-account-wildcard-01 > dns-account-domain-01
The client also needs to know the acceptable domains, and needs to select the domain to use. I think the simplest way to do that is for CA to tell the client what is the maximum allowed number of label strips (which might be 0), and then client to tell the CA the number of label strips to do. The maximum allowed strip count could be field in challenge object (if not present, domain authentication is not allowed). And then if doing domain authentication, client sends the actual strip count (which may be 0) in the POST to the challenge URL (if not present, this is host or wildcard authentication). -Ilari _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
