Re: [Acme] ACME email validation
Brian Sipos <BSipos@rkf-eng.com> Fri, 19 June 2020 22:08 UTC
Return-Path: <BSipos@rkf-eng.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 064DF3A0ECB for <acme@ietfa.amsl.com>; Fri, 19 Jun 2020 15:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rkfeng.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1F04Sn87EyMp for <acme@ietfa.amsl.com>; Fri, 19 Jun 2020 15:08:36 -0700 (PDT)
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (mail-eopbgr700045.outbound.protection.outlook.com [40.107.70.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0493E3A0EC8 for <acme@ietf.org>; Fri, 19 Jun 2020 15:08:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KSmi9KQHv2vZl4mI8JasqJimyKhJLjHfL7xciqx4Mr/0a1U1DiedWkdl7ytGojftORj78WzLYdLlbUBtodUoYlIrerJy2DwPi59NKCOUGj4pXuu8eoAB9cxYyOlwqZiB3ceC6L4WFLcSMOYi/IAl5CUf7yQmcCYM7Mo4nivwLq5//hNQmBISoOYVDnqRpYG5YSiJMXmYNWt2jWrqQ2Rpd7igHDukGVcpsYE6m6eQBCJNE+Ioln1yq6TH0CRQzF3KEjXYlXXXYrCz56fl/LyDJfpw0qcObljrIRqtCGta2m/uxqZAq6dr78X6K/4u9MIXQPeVQfs59R9D1Oy50paevA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hdY+mtlUSPWNy7v/jBpnFk+LaAh8z4mhlWUY5iz+9mE=; b=hAhN2/EvhaNwCN/c+XDzy/lpRBbZRimPSGPXETZSY2+kKBWHYBL7QIfdVzNrATiXIjtKHeSUtc1kQT3i1S0txcc+Nng0nKEV4zAzansWhfkp3rwFq5iZlND7IjFnvtL8c4kjIF3aOeZ2P7+ZVjXZNA4q1RUUBQmXGZtgrzW6gr/G5u7wVHD5ohR573IBn+/l+jWWNh/tqtEKKvTQ+kd29sDEmHNY+lf3AW4WMWo2UZ/2U6gra5BBPkshZxBfmIt9+Rzif4/sDIXbzvCIxtGkDWM3xoWWbSS9Db3XF5IBMFHW7JQ4Xsc73JLH7NAWgwnnIpyzMZgXjJuPtKX3j610mw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=rkf-eng.com; dmarc=pass action=none header.from=rkf-eng.com; dkim=pass header.d=rkf-eng.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rkfeng.onmicrosoft.com; s=selector2-rkfeng-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hdY+mtlUSPWNy7v/jBpnFk+LaAh8z4mhlWUY5iz+9mE=; b=QF/CVh2DzTFZJGF/18oILxZvdW1fKutWgAbgR8kQnMATRrhzltp6zCtME36J751ZRFyXUO074Qmf7oNSiQUfzFD6DxA6aATb05KrJKihB8UwbiD5QoPMHFq1halav3qrHauslcHFXmzMBTOG5IakCofydfGnvvCAL1FN9GfaXxM=
Received: from MN2PR13MB3567.namprd13.prod.outlook.com (2603:10b6:208:168::10) by MN2PR13MB3664.namprd13.prod.outlook.com (2603:10b6:208:19f::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.18; Fri, 19 Jun 2020 22:08:33 +0000
Received: from MN2PR13MB3567.namprd13.prod.outlook.com ([fe80::2d35:414:84c4:d1c5]) by MN2PR13MB3567.namprd13.prod.outlook.com ([fe80::2d35:414:84c4:d1c5%5]) with mapi id 15.20.3131.009; Fri, 19 Jun 2020 22:08:33 +0000
From: Brian Sipos <BSipos@rkf-eng.com>
To: Sebastian Nielsen <sebastian@sebbe.eu>, "acme@ietf.org" <acme@ietf.org>
CC: "alexey.melnikov@isode.com" <alexey.melnikov@isode.com>
Thread-Topic: [Acme] ACME email validation
Thread-Index: AQHWRoHNUzdFRui+FkSmUQXCuVVDbw==
Date: Fri, 19 Jun 2020 22:08:33 +0000
Message-ID: <MN2PR13MB3567DD194C7CA98EE599F1F09F980@MN2PR13MB3567.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: sebbe.eu; dkim=none (message not signed) header.d=none;sebbe.eu; dmarc=none action=none header.from=rkf-eng.com;
x-originating-ip: [108.18.140.127]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ed91aaf2-b10c-47b5-d7ba-08d8149d4eb8
x-ms-traffictypediagnostic: MN2PR13MB3664:
x-microsoft-antispam-prvs: <MN2PR13MB3664EA50EF2DAF52993E56449F980@MN2PR13MB3664.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0439571D1D
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0Dol7Onr0LrT1Fa++HuDnR06Vv3Ssxq+bLkxqd608ZXdinSqJ8hyYRC9ajv38jwnLp4ovqS8bkm792U/w5nsQLOjBKC3miUh041Enf4zfY3fgjUkpFLQDVwgtxNGbOUMZiTEoHpvY9/vqHYa5CzQUJMjtx/vfRKUsVFh12MR43xdxALYUimqmln1a2GFI9Qw0S0Miss1F805ExafjrXawTXP/5iQD6Tv8A+9fVNrNqfvp7WFqUvFEOPIMAE9K8/3XKzHcv0xFwTPIQ3GDRy7gACLZy3iWrur9NRq9FolDL/9OHtTEmgwMnRBpeCEW5B6fSOn1NHIjkZWchqZq/WYJtbc+VW/LR74mRtnaK9eQNpFP7px/VRLsIaVyRkalx/e/BHj59NsvBAZ71flB4SYBg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR13MB3567.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(366004)(376002)(39830400003)(396003)(346002)(136003)(9686003)(55016002)(6506007)(52536014)(5660300002)(4326008)(8676002)(7696005)(53546011)(66574015)(71200400001)(83380400001)(316002)(110136005)(66446008)(966005)(76116006)(66946007)(166002)(508600001)(8936002)(186003)(19627405001)(26005)(33656002)(64756008)(66476007)(2906002)(86362001)(66556008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 8en9TLzNhH6ojT3HxDa6I9KTBmbnYP78QqQZfqorcmzrmZAwrb9Nnmgjlxrqj6j3y4uqaOjs1j7ErgjIwiHgZA13w9rGiIe7tZYw3M8Ukk2Ba/YaK1uplg0KWD5CVf/baSSfi9/Y+a43ggN3AhbTzNpaD0Wk9GAtaqEgg+jXp55RmnH0JDPEDiy4avIqhuvNW6xJqx4+7qCvVAYf27xP1HdQvIwMEMVddFC+wYGnvMHmNGvr9cyx8XhfIVCTkpP2JttCF/cCgSuG5eMXTA+cwjpdG4SXARiN7kPLpAaeIselHRFctj1XWFOL5Z9Y81siX3yvoBULpYtvkEBn/6F9XOF2KmTLYL5MQwMVu04DIJMUZp3kXrVmNqbln7Ov67cHA3hFau0CjztjUvW2MONKMTcgsXqyyOxZ19uf32QwZbMfwDNNVMAEkUoeO+Y7v4nFhKuvTog2JfzjUVV8Yx/1LHELHYXp4A6FOB5PWueaHKutzMRyM4j8Oq4x+pl2qQJr
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR13MB3567DD194C7CA98EE599F1F09F980MN2PR13MB3567namp_"
MIME-Version: 1.0
X-OriginatorOrg: rkf-eng.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ed91aaf2-b10c-47b5-d7ba-08d8149d4eb8
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jun 2020 22:08:33.3134 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4ed8b15b-911f-42bc-8524-d89148858535
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vkAkoZNI0QAjxEiXQ0u4ItWhTka6fY40Q9pW3JdPTIJPWrkAfuARMq96oHQT/Zgp0DNq/9ICfBb6O4oCbJTbQA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR13MB3664
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/CFHNo9pQQxjEYM5nHuWKGluVRPE>
Subject: Re: [Acme] ACME email validation
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2020 22:08:38 -0000
Sebastian, Thank you very much for this clarification. This would apply to all message exchange validation types then (including the one I'm looking into). I notice that the email validation draft does not mention multiple attempts from different sources, which RFC8555 does discuss briefly [1]. Is there an expectation that an email validation would be attempted from multiple ACME server addresses, or is a MITM attack on messaging not handled because of the nature of email security? [1] https://tools.ietf.org/html/rfc8555#section-10.2 ________________________________ From: Sebastian Nielsen Sent: Friday, June 19, 2020 13:25 To: Brian Sipos; acme@ietf.org Cc: alexey.melnikov@isode.com Subject: SV: [Acme] ACME email validation The reason is to prevent email spoofing. In the case of .well-known or DNS validation, or ALPN, you publish a record where ACME fetches. That can’t be spoofed, because ACME itself searches for the record, you can’t send ACME a record and have it accept. In the email case, you instead send ACME the response back via email, which could be spoofed, if you had access to only the ACME client, if whole the token was given by ACME client. And in the second case, if whole token was given by email, it could be a private key that is being used for another thing – lets say signing internal certificates via HSM, where the signing system is misused to gain SMIME certificates by signing the token, without having access to the corresponding ACME client where the private key is installed. By requiring 2 parts of a token, you ensure the client has access to BOTH the email inbox AND the ACME client, AND the private key aswell. To ensure that the person replying to the email BOTH have access to the email account AND the ACME client, he must join 2 parts of a secure token, and then use his private key to calculate the value. Från: acme-bounces@ietf.org <acme-bounces@ietf.org> För Brian Sipos Skickat: den 19 juni 2020 00:13 Till: acme@ietf.org Kopia: alexey.melnikov@isode.com Ämne: [Acme] ACME email validation All, In a recent draft I created for using ACME for non-web-PKI verification [1] I see that there are many similarities with an earlier draft for email verification [2]. In that email protocol, the challenge token is split into two parts which arrive at the email validation agent through two paths: token-part1 via the validation channel, and token-part2 via the ACME channel. Is there a technical reason why the token is split into two parts like this? Is replying with the proper corresponding Key Authorization not sufficient to prove ownership of the email address? I don't see any similar challenge token splitting in other ACME drafts and I don't see anything obvious in [2] to indicate why the split is useful or needed. I also didn't see any related discussion earlier on the ACME mailing list. Thank you, Brian S. [1] https://datatracker.ietf.org/doc/html/draft-sipos-acme-dtnnodeid-00 [2] https://datatracker.ietf.org/doc/html/draft-ietf-acme-email-smime-08
- [Acme] ACME email validation Brian Sipos
- Re: [Acme] ACME email validation Sebastian Nielsen
- Re: [Acme] ACME email validation Brian Sipos
- Re: [Acme] ACME email validation Sebastian Nielsen
- Re: [Acme] ACME email validation Alexey Melnikov