Ilari, you've posted some useful extrapolations on how domain scopes could work. I'm proposing to get rid of domain scopes. :D To get us on the same page, would you mind posting some of the specific use cases you're envisioning where domain scopes would be used in an ACME environment? My existing belief is that domain scopes are only useful when validation is non-automated, but I could be wrong here.
On Thu, Mar 21, 2024 at 3:26 AM Ilari Liusvaara <ilariliusva...@welho.com> wrote: > On Wed, Mar 20, 2024 at 08:57:11PM -0400, Amir Omidi wrote: > > I do think that this draft can do a better job describing the scope. I > > think we should make it more explicit for the client to understand which > > one will be used. I feel like splitting this challenge into three (and > > potentially more, as extra scopes may or may not be added into the > future) > > might be a little too noisy. > > > > What do you think about a `scope` field in the authorization resource the > > server sends creates/communicates with the client? Clients opting into > > dns02, or dns-account-01 will use this to know exactly what scope the > > server is expecting from them for their ACME order. > > The problem with this is that there might be multiple valid scopes, not > just a single valid scope. And clients often have only one that will > work, the rest will fail (often in rather bad ways). > > The obvious scope is is host/wildcard on the target name. However, if > CA allows domain scope, thee will be N+1 more, where N is the maximum > allowed strip (might be 0, might be more). > > In another mail, I proposed: > > - If CA allows domain scope, it sends maximum allowed strip in the > challenge. Otherwise only host/wildcard scope is allowed. > - If client selects domain scope, it sends strip used in the POST to > the challenge URL. Otherwise host/wildcard scope is selected. > > > > > -Ilari > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
