IETF Logo Mail Archive

[Acme] Responding to challenges - spec bug?

Rob Stradling <rob@sectigo.com> Mon, 20 May 2019 15:56 UTC

Return-Path: <rob@sectigo.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8502912017A for <acme@ietfa.amsl.com>; Mon, 20 May 2019 08:56:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6bBoUbf-yAk for <acme@ietfa.amsl.com>; Mon, 20 May 2019 08:56:38 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0631.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe45::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 807C61201C3 for <acme@ietf.org>; Mon, 20 May 2019 08:56:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector1-comodoca-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MmflAN3+UJEK6ol7fEl2SkZlHiRltHV82RrkIZUi5Xs=; b=dHKwr24VxQ+Z9mbdb7N1u0f2syTItgDBYuPRw9ZZlBS4mYh1qIXHBnr9vNqQUfY7bpPZoixicGfd+ikFAp2Enz26pYopF3WfmEYIJFjXSnFQzzgC8MV+C0+6IJPH31upsmtPs1X45pOLKIVbCVdY9Dv/mmheCeQxWenUsfmHy1Q=
Received: from DM6PR17MB2251.namprd17.prod.outlook.com (20.176.92.149) by DM6PR17MB2363.namprd17.prod.outlook.com (20.176.93.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1900.17; Mon, 20 May 2019 15:56:21 +0000
Received: from DM6PR17MB2251.namprd17.prod.outlook.com ([fe80::f96d:65b0:2e92:c71a]) by DM6PR17MB2251.namprd17.prod.outlook.com ([fe80::f96d:65b0:2e92:c71a%5]) with mapi id 15.20.1900.020; Mon, 20 May 2019 15:56:21 +0000
From: Rob Stradling <rob@sectigo.com>
To: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: Responding to challenges - spec bug?
Thread-Index: AQHVDySRkPLfiLdtEEab2D83pFarqA==
Date: Mon, 20 May 2019 15:56:21 +0000
Message-ID: <a5d40c1b-d412-33b6-baf0-103a0ce7dc60@sectigo.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: LNXP265CA0096.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:76::36) To DM6PR17MB2251.namprd17.prod.outlook.com (2603:10b6:5:b9::21)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rob@sectigo.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2a0e:ac00:12e:8180:f68e:38ff:fe7a:a226]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 234ec277-7b4a-4d2b-0077-08d6dd3bb3f6
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:DM6PR17MB2363;
x-ms-traffictypediagnostic: DM6PR17MB2363:
x-microsoft-antispam-prvs: <DM6PR17MB23634C95283BCB456EDAD2B5AA060@DM6PR17MB2363.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 004395A01C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39850400004)(366004)(396003)(376002)(346002)(136003)(199004)(189003)(64756008)(66556008)(46003)(66476007)(186003)(66946007)(66446008)(31686004)(52116002)(73956011)(2906002)(316002)(99286004)(71200400001)(71190400001)(2351001)(14444005)(102836004)(6506007)(6116002)(386003)(256004)(6486002)(6916009)(305945005)(478600001)(68736007)(7736002)(36756003)(5660300002)(5640700003)(53936002)(6436002)(25786009)(81166006)(6512007)(31696002)(14454004)(2501003)(1730700003)(2616005)(476003)(8676002)(8936002)(486006)(81156014)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR17MB2363; H:DM6PR17MB2251.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: sectigo.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: jOaAUdAu3WHfJ0xuxVzLQwmTZ62Ob2ilY0knKEk/lW2IRh3VGbhQl8Am+c6XpZ2bWPd+bK33v9WXhSzTq4rlyawr1t12+Ji65/RZg+yGth3mB28+v/NZiuHY42a2E3AQk/lNqE7s27MhCt2A176hcvZK/Xc9l1ppPAr8aaje1zXneRIbyGYSTr2WQG2E5p8S5wymdX1VtGZxDKL1zh507r1zjEGZm5ZoWQxhflRy0j5uA3+06ESkYT1BdO+ywYFvWDxC0kcHN6aJ8HjQnBOjfgr35RcpvK+wkHJwMs1oVodKZyEjCIH2zzMI6Lo/wgzy2wxXtFoFa2CQhLm+IV3pn3lCg2E2rXgewp5inHqsQE/ZUCAbxrxljCZ8stJc6iCmKp+G/OJLJW5r2wtMGHMhvp6l+rFVj5BioYKBZjlMgBw=
Content-Type: text/plain; charset="utf-8"
Content-ID: <725CE11802F8804AAC4D67E9EEEC2D44@namprd17.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 234ec277-7b4a-4d2b-0077-08d6dd3bb3f6
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 May 2019 15:56:21.6043 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR17MB2363
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/-xxaoQF1xRDvuRDBofBGgUbXxWc>
Subject: [Acme] Responding to challenges - spec bug?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2019 15:56:41 -0000

RFC8555 sections 8.3 (http-01) and 8.4 (dns-01) both say:
   'A client responds with an empty object ({}) to acknowledge that the
    challenge can be validated by the server.'

Section 7.5.1, which is apparently intended to apply to all challenge 
types (including challenge types defined in other documents), says the 
same thing...
   'The client indicates to the server that it is ready for the challenge
    validation by sending an empty JSON body ("{}") carried in a POST
    request to the challenge URL (not the authorization URL).'
...but then, after showing an example HTTP request, it goes on to say...
   'The server updates the authorization document by updating its
    representation of the challenge with the response object provided by
    the client.  The server MUST ignore any fields in the response object
    that are not specified as response fields for this type of challenge.
    Note that the challenges in this document do not define any response
    fields, but future specifications might define them.'

So it seems that the 'empty JSON body "({})"' is intended to be 
interpreted by the ACME server as a "response object" that (depending on 
the challenge type) "might define" some "response fields".  However, if 
any response fields are defined and included in the JSON body then the 
client will no longer be sending the 'empty JSON body ("{}")' that 
section 7.5.1 says it's supposed to send...
   'The client indicates to the server that it is ready for the challenge
    validation by sending an empty JSON body ("{}") carried in a POST
    request to the challenge URL (not the authorization URL).'

How would folks feel about an erratum to change that sentence in section 
7.5.1 to the following:
   'The client indicates to the server that it is ready for the challenge
    validation by sending a POST request to the challenge URL (not the
    authorization URL), where the body of the POST request is a JWS
    object whose JSON payload is a response object (see Section 8).  For
    all challenge types defined in this document, the response object is
    the empty JSON object ({}).'
?

-- 
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited

v2.23.0 | Report a Bug | By Email