Re: [Acme] Fixing the TLS-SNI challenge type
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 12 January 2018 13:20 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7C5712E880 for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 05:20:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7hgO8FQlnoop for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 05:20:14 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C295312E87C for <acme@ietf.org>; Fri, 12 Jan 2018 05:20:13 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 2FDCE53885; Fri, 12 Jan 2018 15:20:11 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id 8AUjg1CSkLu1; Fri, 12 Jan 2018 15:20:10 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id C2F6C27F; Fri, 12 Jan 2018 15:20:08 +0200 (EET)
Date: Fri, 12 Jan 2018 15:20:08 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "Matthew D. Hardeman" <mhardeman@ipifony.com>
Cc: acme@ietf.org
Message-ID: <20180112132008.GA31427@LK-Perkele-VII>
References: <F3477AAE-9C23-4FBE-B88D-E3ABC3CFB60D@ipifony.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <F3477AAE-9C23-4FBE-B88D-E3ABC3CFB60D@ipifony.com>
User-Agent: Mutt/1.9.2 (2017-12-15)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/0hK-71v3zIVgvEgm6912HlW2wnc>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2018 13:20:17 -0000
On Thu, Jan 11, 2018 at 09:46:28PM -0600, Matthew D. Hardeman wrote: > > In order to actually be an improvement in security, the ALPN needs > to be more than a mere marker of support. > > Consider: The new mechanism is implemented and Let’s Encrypt > deploys. > > Rather than do the work to ALSO fix the insecure aspects of the > infrastructure, they’ll hastily patch in the “acme" name. > > To add security, perhaps the SNI that is sent should be the actual > domain label that is being validated, along with the “acme” ALPN > name. At this point, an actual ALPN extension should negotiate the > authentication, with the server having the opportunity to bind the > proper target name to a desired authentication and then if and > only if the server has available the account key credentials of the > requestor, would it be able to answer with a proper authentication. > > Just adding a marker with the hammer being that just doing this > without implementing the promises that are supposed to be implied > on pain of violating an RFC is… Likely to get laughed at in a > derisive way by the very web hosts whose behavior now has you > contemplating improvements to the protocol. > > There’s no fast way out of this mess. The mechanism is presumably bound by "method 10" from current CABForum BRs. The language in the BRs is (paraphrased): 'A random value in a certificate on the name being validated'. So the certificate must contain both the name being validated and the random value. That certificate may be either X.509 certificate (which are apparently a bit nontrivial to generate, I personally don't think it is that bad) or some other format of certificate. However, if one is to keep with cryptographically kosher practices, there are the following constraints: - The account key can not sign X.509 certificate, or any other certificate with format not based on JWS. - The account key can not directly sign TLS key exchange. Also, another certificate format would require a new TLS certificate format. Codepoint assignment needs an RFC, but in practice, those would likely be annoying to implement. Then there are the following implementation constraints: - The key used to sign the TLS key exchange must appear the certificate. -Ilari
- [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Roland Bracewell Shoemaker
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Roland Bracewell Shoemaker
- Re: [Acme] Fixing the TLS-SNI challenge type Peter Eckersley
- Re: [Acme] Fixing the TLS-SNI challenge type Martin Thomson
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Martin Thomson
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Patrick Figel
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Niklas Keller
- Re: [Acme] Fixing the TLS-SNI challenge type Daniel McCarney
- Re: [Acme] Fixing the TLS-SNI challenge type Daniel McCarney
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Richard Barnes
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Salz, Rich
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek