We will add clarifying text in draft-07 to clarify this. Thanks, Owen From: Acme <[email protected]> On Behalf Of Yanlei(Ray) Sent: Friday, February 10, 2023 3:47 AM To: Deb Cooley <[email protected]>; [email protected] Subject: [Acme] 答复: Comment on draft-ietf-acme-subdomains-06: How about using wildcard certificates for subdomains?
> RFC8555 already addresses wildcards, no? Yes, wildcards are suppoted in RFC8555. Meanwhile, there are no mentions of wildcards in draft-ietf-acme-subdomains-06. It seems that wildcard certificates are not suitable for the subdomain scenario. However, I think the wildcard certificate is another candidate for subdomain manegement. Thus, I am wondering the reason why no wildcard certificates are mentioned in the draft. Are there some reasons for wildcard certificates cannot be used in subdomain scenarios? Regards, Lei YAN 发件人: Acme <[email protected]<mailto:[email protected]>> 代表 Deb Cooley 发送时间: 2023年2月4日 21:32 收件人: Yanlei(Ray) <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> 抄送: Dorothy E Cooley <[email protected]<mailto:[email protected]>> 主题: Re: [Acme] Comment on draft-ietf-acme-subdomains-06: How about using wildcard certificates for subdomains? RFC8555 already addresses wildcards, no? Deb Cooley ACME chair [email protected]<mailto:[email protected]> On Tue, Jan 31, 2023 at 7:11 AM Yanlei(Ray) <[email protected]<mailto:[email protected]>> wrote: Hi, I'm new to this group and sorry for the late comment. I just saw this draft and have an idea after reading. I'd like to know from you experts whether it's reasonable. The illustration in Section 5 uses Subject Alternative Name (SAN) to list every subdomain name in a certificate. I wonder if this mechanism can be replaced by using a wildcard certificate? Compared with using the Subject Alternative Name (SAN), a wildcard certificate can simplify the complexity and reduce the costs for securing a number of subdomains. As the sub-domain name changes, the client with SAN has to re-apply its certificate, but the client with wildcard certificate does not need to change its certificate. I think wildcard certificates have been commonly used in subdomains management. As illustrated in Section 5: +--------+ +------+ +-----+ | Client | | ACME | | DNS | +---+----+ +---+--+ +--+--+ | | | STEP 1: Pre-Authorization of ancestor domain | . | | | . | | | . | | STEP 2: Place order for sub1.example.org<http://sub1.example.org> | . | | | . | | | . | | STEP 3: Place order for sub2.example.org<http://sub2.example.org>. | . | | | . | | | . | | If there are multiple subdomains, the client has to place an order multiple times for every subdomain. If using a wildcard certificate, the client only needs to place an order once for the wildcard certificate. Then the client can configure its subdomain servers with the same wildcard certificate. +--------+ +------+ +-----+ | Client | | ACME | | DNS | +---+----+ +---+--+ +--+--+ | | | STEP 1: Pre-Authorization of ancestor domain | . | | | . | | | . | | STEP 2: Place order for *.example.org<http://example.org> | | | | This is just a preliminary idea, and please correct me if I'm thinking wrongly. Regards, Lei YAN _______________________________________________ Acme mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/acme
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
