Re: [Acme] Comment on draft-ietf-acme-subdomains-06: How about using wildcard certificates for subdomains?

Sat, 04 Feb 2023 05:31:51 -0800 

RFC8555 already addresses wildcards, no?

Deb Cooley
ACME chair
[email protected]


On Tue, Jan 31, 2023 at 7:11 AM Yanlei(Ray) <ray.yanlei=
[email protected]> wrote:

> Hi,
>
>
>
> I'm new to this group and sorry for the late comment. I just saw this
> draft and have an idea after reading. I'd like to know from you experts
> whether it's reasonable.
>
>
>
> The illustration in Section 5 uses Subject Alternative Name (SAN) to list
> every subdomain name in a certificate.
>
> I wonder if this mechanism can be replaced by using a wildcard certificate?
>
> Compared with using the Subject Alternative Name (SAN), a wildcard
> certificate can simplify the complexity and reduce the costs for securing a
> number of subdomains.
>
> As the sub-domain name changes, the client with SAN has to re-apply its
> certificate, but the client with wildcard certificate does not need to
> change its certificate.
>
> I think wildcard certificates have been commonly used in subdomains
> management.
>
> As illustrated in Section 5:
>
>   +--------+                  +------+     +-----+
>
>   | Client |                  | ACME |     | DNS |
>
>   +---+----+                  +---+--+     +--+--+
>
>       |                            |            |
>
>     STEP 1: Pre-Authorization of ancestor domain
>
>       |               .            |            |
>
>       |               .            |            |
>
>       |               .            |            |
>
>     STEP 2: Place order for sub1.example.org
>
>       |               .            |            |
>
>       |               .            |            |
>
>       |               .            |            |
>
>     STEP 3: Place order for sub2.example.org.
>
>       |               .            |            |
>
>       |               .            |            |
>
>       |               .            |            |
>
>
>
> If there are multiple subdomains, the client has to place an order
> multiple times for every subdomain.
>
> If using a wildcard certificate, the client only needs to place an order
> once for the wildcard certificate.
>
> Then the client can configure its subdomain servers with the same wildcard
> certificate.
>
>   +--------+                  +------+     +-----+
>
>   | Client |                  | ACME |     | DNS |
>
>   +---+----+                  +---+--+     +--+--+
>
>       |                            |            |
>
>     STEP 1: Pre-Authorization of ancestor domain
>
>       |               .            |            |
>
>       |               .            |            |
>
>       |               .            |            |
>
>     STEP 2: Place order for *.example.org    |
>
>       |                            |            |
>
>
>
>
>
> This is just a preliminary idea, and please correct me if I'm thinking
> wrongly.
>
>
>
> Regards,
>
> Lei YAN
> _______________________________________________
> Acme mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/acme
>

_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme

Reply via email to