The CSR MUST indicate the exact same set of requested identifiers as the initial newOrder request. #513
Comments
|
Hi @Coleman0701. I agree that this section is a bit difficult to mentally parse partially because it assumes some additional knowledge about the potential contents of CSRs and the nature of ACME being a protocol that will likely be expanded upon in the future. It's also trying to account for the legacy nature of the CN field in CSRs. How I interpret this is also based on how it seems to be implemented in the well known public ACME servers.
Where this gets hazy (as your examples show) is how the ACME server interprets what qualifies as an identifier or not in the CN field.
I'd be curious how Boulder or Pebble (Let's Encrypts ACME server implementations) actually respond to these examples. |
|
If you'd like more opinions from knowledgeable folks, I'd bring up the topic on the LE Community Forums. |
|
You could also debate that the CSR is largely included "because it should be" as a throwback to the conventional way of ordering certificates. As most of it is discarded by ACME CAs (for domain validated certs) it could have been omitted from the ACME process altogether. I believe the reason things are ignored/discarded is because the process itself cannot validate them (but they could have been validated prior using some offline process and linked to ACME via EAB). As far as I'm aware CN has long been deprecated for domain validated certs and only the SAN list is considered authoritative. |
Hello @rmbolger,
I am sorry to bother you again. It is not question regarding your ACME client. This is rather question related to ACME server funcionality.
We've been having lots of discussions internally about this paragraph:
The CSR MUST indicate the exact same
set of requested identifiers as the initial newOrder request.
Identifiers of type "dns" MUST appear either in the commonName
portion of the requested subject name or in an extensionRequest
attribute [RFC2985] requesting a subjectAltName extension, or both.
(These identifiers may appear in any sort order.) Specifications
that define new identifier types must specify where in the
certificate signing request these identifiers can appear.
In section https://www.rfc-editor.org/rfc/rfc8555#section-7.4 of the ACME RFC.
I'll give you set of examples :)
Which examples would you validate according to the paragraph above?
(google / youtoube are just examples, it can be anything else, it is about the principal)
Example 1:
NewOrder DNS identifiers:
google.com, youtoube.com
SAN DNS in CSR:
DNS=youtube.com
DNS=google.com
CSR CNs:
CN=Google.org
=================
Example 2:
NewOrder DNS identifiers:
google.com, youtoube.com
SAN DNS in CSR:
DNS=youtube.com
DNS=google.com
CSR CNs:
CN=Ryan Bolger (not a "DNS string")
or
CN=WebServer1 (not a "DNS string")
Here I want to underline that CN can be anything - like server "identity", identity if an administrator, etc.
================
Example 3:
NewOrder DNS identifiers:
google.com, youtoube.com
SAN DNS in CSR:
DNS= youtube.com
DNS= google.com
CSR CNs:
CN = youtube.com
CN= google.com
CN = Google
================
Example 4:
NewOrder DNS identifiers:
google.com, youtoube.com
SAN DNS in CSR:
DNS= youtube.com
DNS= google.com
DNS= google.test.com
CSR CNs:
CN = youtube.com
CN= google.com
================
We might be having some difficulties understanding the meaning of the paragraph. What is your opinion?
Thank you very much for your response
P.S. Your reply wouldn't be a "decisive thing" for us. I don't want you to interpret ACME RFC, I am asking for your opinion.
The text was updated successfully, but these errors were encountered: