IETF Logo Mail Archive

Re: [Acme] Fixing the TLS-SNI challenge type

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 12 January 2018 13:20 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7C5712E880 for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 05:20:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7hgO8FQlnoop for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 05:20:14 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C295312E87C for <acme@ietf.org>; Fri, 12 Jan 2018 05:20:13 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 2FDCE53885; Fri, 12 Jan 2018 15:20:11 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id 8AUjg1CSkLu1; Fri, 12 Jan 2018 15:20:10 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id C2F6C27F; Fri, 12 Jan 2018 15:20:08 +0200 (EET)
Date: Fri, 12 Jan 2018 15:20:08 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "Matthew D. Hardeman" <mhardeman@ipifony.com>
Cc: acme@ietf.org
Message-ID: <20180112132008.GA31427@LK-Perkele-VII>
References: <F3477AAE-9C23-4FBE-B88D-E3ABC3CFB60D@ipifony.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <F3477AAE-9C23-4FBE-B88D-E3ABC3CFB60D@ipifony.com>
User-Agent: Mutt/1.9.2 (2017-12-15)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/0hK-71v3zIVgvEgm6912HlW2wnc>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2018 13:20:17 -0000

On Thu, Jan 11, 2018 at 09:46:28PM -0600, Matthew D. Hardeman wrote:
> 
> In order to actually be an improvement in security, the ALPN needs
> to be more than a mere marker of support.
> 
> Consider:  The new mechanism is implemented and Let’s Encrypt
> deploys.
> 
> Rather than do the work to ALSO fix the insecure aspects of the
> infrastructure, they’ll hastily patch in the “acme" name.
> 
> To add security, perhaps the SNI that is sent should be the actual
> domain label that is being validated, along with the “acme” ALPN
> name.  At this point, an actual ALPN extension should negotiate the
> authentication, with the server having the opportunity to bind the
> proper target name to a desired authentication and then if and
> only if the server has available the account key credentials of the
> requestor, would it be able to answer with a proper authentication.
> 
> Just adding a marker with the hammer being that just doing this
> without implementing the promises that are supposed to be implied
> on pain of violating an RFC is…  Likely to get laughed at in a
> derisive way by the very web hosts whose behavior now has you
> contemplating improvements to the protocol.
> 
> There’s no fast way out of this mess.

The mechanism is presumably bound by "method 10" from current CABForum
BRs.

The language in the BRs is (paraphrased):

'A random value in a certificate on the name being validated'.


So the certificate must contain both the name being validated and the
random value.

That certificate may be either X.509 certificate (which are apparently
a bit nontrivial to generate, I personally don't think it is that bad)
or some other format of certificate.


However, if one is to keep with cryptographically kosher practices,
there are the following constraints:

- The account key can not sign X.509 certificate, or any other
  certificate with format not based on JWS.
- The account key can not directly sign TLS key exchange. 

Also, another certificate format would require a new TLS certificate
format. Codepoint assignment needs an RFC, but in practice, those
would likely be annoying to implement.

Then there are the following implementation constraints:

- The key used to sign the TLS key exchange must appear the
  certificate.


-Ilari

v2.23.0 | Report a Bug | By Email