"Walking up" for authorization


#1

Continuing the discussion from DNS challenge is in staging:

I actually started this for DNS because that was the topic there but I thought about this in a greater way.

my Idea is that subdomain should NOT require re-challenge if you are already authorised for something above (that doesnt match the PSL)
especially coz LE keeps you 10 months authorised after getting a challenge this can be really helpful especially when handling a large SAN cert which contains a lot of subs.

lets’s say we want a cert for foo.bar.test.abc.zm

first it looks for a authorisation for foo.bar.test.abc.zm (direct check)
if no match go up in the domain if it was already authorised, mark as completed.
then we have bar.test.abc.zm
same procedure
now we have test.abc.zm
and now we have a stop because abc.zm (the next step) matches *.zm on the PSL without any exceptions.

so in that case if you had any of the upper levels already approved that you dont need a lower level challenge.


Dns-01 vs. Wildcard certificates
Shouldn't verification via DNS record be a priority?
#2

I assume you forgot a not and that you mean is “subdomain should NOT require re-challenge if you are already authorised for something above”


#3

Edited. Result of thinking faster than you can type…

Thanks for pointing it out…


#4

:+1: this is a great idea and I think it could even be used to allow wildcard certificates for a whole domain!


#5

yeah I mean it is based on the assumtion that if you have the top then you have the bottom, but that is true stuff.


#6

I think this might make sense for DNS, but maybe not for other challenge types. Consider the webmaster of a university web site; the webmaster may not be allowed to edit DNS records at all, and is perhaps only responsible for the main site (example.edu) and not for the departmental and administrative delegations under that.


#7

No other provider gives you a subdomain certificate unless you own the root domain. Doing it the opposite way in the name of automation is nothing but a nuisance to power users. There’s no reason both can’t be supported - subdomain-only validation through HTTP, or wildcard validation through root domain DNS.

If someone owns the root DNS, they can point the subdomains to any HTTP server and delete any delegation if present.


#8

or via whois/admin mail, (for easier manual mode)


#9

More important, with DNS you could already silently do this without interfering with the operation of the site on the subdomain (unlike with HTTP validation where the original site would most likely not be reachable if you changed DNS to point to your own system to serve the validation data)


#10

@ThiefMaster <- This

also it would be nice if you could just push your account pub key in the DNS so you dont even need to be asked for putting a challenge somewhere to authroise your domain but you would just need to sign stuff with the key listed in the DNS

would also allow easier rollouts and probably less data because you dont need to say “push this challenge here” - “okay I did it” - “Okay I verify it” *verification* -> “okay verified”

but just “sign me this” - “okay here’s the signature” - *check agains keys listed in DNS* -> “okay”


#11

@riking what did you change? changelog seems to say nothing of value.


#12

Why you ask if he changed something ?


#13

because I got an edit notification and you also can see it by clicking on the orange pencil (first post at the top).


#14

The change ( as shown by clicking the pencil ) was simply a move
Uncategorized → Feature Requests


#15

oh. I searched up and down for highlighted stuff since the edits are usually highlighted. thanks for clrifying.

even though it is weird to categorize a move as an edit. normal forum software doesnt do that. move is usually a distinct action.


#16

Update: i pushed an issue the the acme github: