We will add clarifying text in draft-07 to clarify this. Thanks, Owen From: Acme <acme-boun...@ietf.org> On Behalf Of Yanlei(Ray) Sent: Friday, February 10, 2023 3:47 AM To: Deb Cooley <debcool...@gmail.com>; acme@ietf.org Subject: [Acme] 答复: Comment on draft-ietf-acme-subdomains-06: How about using wildcard certificates for subdomains?
> RFC8555 already addresses wildcards, no? Yes, wildcards are suppoted in RFC8555. Meanwhile, there are no mentions of wildcards in draft-ietf-acme-subdomains-06. It seems that wildcard certificates are not suitable for the subdomain scenario. However, I think the wildcard certificate is another candidate for subdomain manegement. Thus, I am wondering the reason why no wildcard certificates are mentioned in the draft. Are there some reasons for wildcard certificates cannot be used in subdomain scenarios? Regards, Lei YAN 发件人: Acme <acme-boun...@ietf.org<mailto:acme-boun...@ietf.org>> 代表 Deb Cooley 发送时间: 2023年2月4日 21:32 收件人: Yanlei(Ray) <ray.yanlei=40huawei....@dmarc.ietf.org<mailto:ray.yanlei=40huawei....@dmarc.ietf.org>>; acme@ietf.org<mailto:acme@ietf.org> 抄送: Dorothy E Cooley <deco...@radium.ncsc.mil<mailto:deco...@radium.ncsc.mil>> 主题: Re: [Acme] Comment on draft-ietf-acme-subdomains-06: How about using wildcard certificates for subdomains? RFC8555 already addresses wildcards, no? Deb Cooley ACME chair deco...@radium.ncsc.mil<mailto:deco...@radium.ncsc.mil> On Tue, Jan 31, 2023 at 7:11 AM Yanlei(Ray) <ray.yanlei=40huawei....@dmarc.ietf.org<mailto:40huawei....@dmarc.ietf.org>> wrote: Hi, I'm new to this group and sorry for the late comment. I just saw this draft and have an idea after reading. I'd like to know from you experts whether it's reasonable. The illustration in Section 5 uses Subject Alternative Name (SAN) to list every subdomain name in a certificate. I wonder if this mechanism can be replaced by using a wildcard certificate? Compared with using the Subject Alternative Name (SAN), a wildcard certificate can simplify the complexity and reduce the costs for securing a number of subdomains. As the sub-domain name changes, the client with SAN has to re-apply its certificate, but the client with wildcard certificate does not need to change its certificate. I think wildcard certificates have been commonly used in subdomains management. As illustrated in Section 5: +--------+ +------+ +-----+ | Client | | ACME | | DNS | +---+----+ +---+--+ +--+--+ | | | STEP 1: Pre-Authorization of ancestor domain | . | | | . | | | . | | STEP 2: Place order for sub1.example.org<http://sub1.example.org> | . | | | . | | | . | | STEP 3: Place order for sub2.example.org<http://sub2.example.org>. | . | | | . | | | . | | If there are multiple subdomains, the client has to place an order multiple times for every subdomain. If using a wildcard certificate, the client only needs to place an order once for the wildcard certificate. Then the client can configure its subdomain servers with the same wildcard certificate. +--------+ +------+ +-----+ | Client | | ACME | | DNS | +---+----+ +---+--+ +--+--+ | | | STEP 1: Pre-Authorization of ancestor domain | . | | | . | | | . | | STEP 2: Place order for *.example.org<http://example.org> | | | | This is just a preliminary idea, and please correct me if I'm thinking wrongly. Regards, Lei YAN _______________________________________________ Acme mailing list Acme@ietf.org<mailto:Acme@ietf.org> https://www.ietf.org/mailman/listinfo/acme
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme