IETF Logo Mail Archive

[Acme] Add badPublicKey error

Rob Stradling <rob@sectigo.com> Thu, 24 January 2019 14:26 UTC

Return-Path: <rob@sectigo.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9957B124D68 for <acme@ietfa.amsl.com>; Thu, 24 Jan 2019 06:26:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.043
X-Spam-Level:
X-Spam-Status: No, score=-2.043 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l-CeTKioXUUF for <acme@ietfa.amsl.com>; Thu, 24 Jan 2019 06:26:24 -0800 (PST)
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (mail-eopbgr700053.outbound.protection.outlook.com [40.107.70.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20FD8124BE5 for <acme@ietf.org>; Thu, 24 Jan 2019 06:26:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector1-sectigo-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QjQiCtfHHLVq6h6H8NwoAf09JDtAzR8OLEKIzpevj1U=; b=bzdiAfoOESss9SLYYxnW+Q767E/J40fmXBmxVbYgqDlY6ft+tgZhwTsqqjlN8IYDw/F33siiXwuSCpP5Zkz1wfot+9h33hoBgbpqzTezsMKUy0s8Z2w33eNP+rQbtMFAanDPp4oEbYEnyOW3VlhCwzhZPQlJRqQ+y/YeAnCT7qE=
Received: from DM6PR17MB2716.namprd17.prod.outlook.com (20.178.224.155) by DM6PR17MB2252.namprd17.prod.outlook.com (20.176.92.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1558.18; Thu, 24 Jan 2019 14:26:20 +0000
Received: from DM6PR17MB2716.namprd17.prod.outlook.com ([fe80::9820:6f4a:7762:166b]) by DM6PR17MB2716.namprd17.prod.outlook.com ([fe80::9820:6f4a:7762:166b%5]) with mapi id 15.20.1558.016; Thu, 24 Jan 2019 14:26:20 +0000
From: Rob Stradling <rob@sectigo.com>
To: IETF ACME <acme@ietf.org>
Thread-Topic: Add badPublicKey error
Thread-Index: AQHUs/DGXjpTc1TqLUWb5bD5FlAzZg==
Date: Thu, 24 Jan 2019 14:26:20 +0000
Message-ID: <08d23693-4d9c-559d-d8f4-8af860d6a127@sectigo.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: LNXP265CA0032.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5c::20) To DM6PR17MB2716.namprd17.prod.outlook.com (2603:10b6:5:122::27)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rob@sectigo.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2a02:1788:4ff:1000:f68e:38ff:fe7a:a226]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR17MB2252; 6:+FY9xRnlRQ0GR29ACAgvH1aecEjPyDStLajE9GNVTtkVHrC/h/2RaF+PfprvYQPTee1pILG/Ntnwzv7VOD42PDYXIRbBf8Tso0BT8jqyGfrL2EIVh1MlFbkfpbNUPvr2dAJKX3NqZ35oqF5eb0RREISQN2Nyc0wvzoorApAQUSa5Vu8kGbl8GCk25NpIsjwCtgcaHvUJ4S91XyyK1KA4vjgWBvqAnHB6Auo+xh2dUDWPjv3njovXQcbjMTgp0/Tt9yof1BaSK0EkxibFJWj5gsPEuQadV8ep/5zw2D6MyehnBIcJVzJ+iSiB3yseSkz7982El+f3zwd0i8uoSNAE0AUUF1hJU9fty16MGwYdivOAJ3VR3nAvF9fqD8vn42epbXumH5jcGdiloYwEqLKgbDGW5/YcnLwdRqSLuKfC54c9kzYNixT6qaQJ5N0knlICz3RGkJgl9wimhmAtm1EANQ==; 5:wyaF7hAOOPQgDzZm34pXu3PPxqEZo59aXz519JQBdRXqvYPQanaVc3Juy6b6Bt28TQ1wBebes7bpe7X5d5XAkGVuzeCOf8hHsR0ysyYywYnig64OArHY5v6xHozDW5e78Ua5s8LmXgfJ9oqkDmmAec4EiI0+/dEfVcpf+pk8s3RmgJXkzgxNAmnJRqECSYVEuEPpSe5PVg7cS6Hph1RqgA==; 7:J1KUcO40o+EwKPKXHyt16vGwfdY+K7LAbk1+0zFp4lVM4XQg9OMSpOUjaHmvOow3xJ8ZwcsJptNYV3nzD7zBFMhXtOvAQCrVi0S/QOyGWKB3tMTj45qmUmj5SCnktuDTkBgGAwxLeqK4BzxIFAwg5A==
x-ms-office365-filtering-correlation-id: dab22a3f-0a45-46ca-cd85-08d68207e8fb
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600110)(711020)(4605077)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:DM6PR17MB2252;
x-ms-traffictypediagnostic: DM6PR17MB2252:
x-microsoft-antispam-prvs: <DM6PR17MB2252E49F67474B792364747BAA9A0@DM6PR17MB2252.namprd17.prod.outlook.com>
x-forefront-prvs: 0927AA37C7
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(366004)(39850400004)(396003)(136003)(189003)(199004)(476003)(2906002)(6116002)(478600001)(68736007)(966005)(14454004)(25786009)(3480700005)(186003)(46003)(256004)(14444005)(71190400001)(71200400001)(86362001)(102836004)(31696002)(2616005)(6506007)(386003)(486006)(81166006)(81156014)(31686004)(6916009)(8676002)(561944003)(106356001)(8936002)(305945005)(97736004)(53936002)(7736002)(316002)(52116002)(6486002)(6436002)(99286004)(6512007)(4744005)(6306002)(36756003)(7116003)(105586002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR17MB2252; H:DM6PR17MB2716.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: sectigo.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: DKZ7gAKGycgF4Lo7+aeoWqsjUwtVAxtfWTwbHcS3GRFS3kvQ7PyxxyIIq33CtjYfDgJIGqSkuaTppSxVz/ljPAj2zJJIdP2/WCpA/FZhMzxt6t02/BvsufDFCA5Dk/McbkfLu3xWhDJCibe6Qo7ZgrzhUM4xO/xYZFd9ag6p4OxHm+2zL4j+jrOoRlLnyQ/2sVLNvWfRMtxLaK4YmhiBlmn1imXFwDltv1hvwTsznFBoNJu07UT5icz8EomF2mLdzD4TJOYz5OGpmp6Ucpe4dJMnARnG92DJRWpqASJpqEvh7Iq2ubQ0XBooKsRWrIbY4YfbK9T9FUbXm1Syc86Hc3YMGS19uRDp7At9GbVSa5NG9psfLYgoLiVaZSTdsYkm5QiZreG5dcIKoYWKbWOBBgx8LbJI+vfR9wFR+1n2PzE=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <4AFD6E4906A6D64F9FFA5B105A55DA92@namprd17.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dab22a3f-0a45-46ca-cd85-08d68207e8fb
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jan 2019 14:26:19.8987 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR17MB2252
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/3jILRngs0mnHVl3DMcrbQbpcWPQ>
Subject: [Acme] Add badPublicKey error
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jan 2019 14:26:27 -0000

I realize it's very late for making non-editorial changes to 
draft-ietf-acme-acme, but I'd like to propose adding a new badPublicKey 
error.  This error would be returned by the server whenever it does not 
support, or wishes to reject, a "jwk" public key supplied in a client's 
request.

Proposed text: https://github.com/ietf-wg-acme/acme/pull/478

The 'array of supported "alg" values' in a badSignatureAlgorithm 
response is useful, but ISTM that it doesn't provide detailed enough 
information to assist a client in generating a suitable public key.

(If the consensus is that it's too late to add a new error type, then my 
alternative proposal will be to use "malformed" instead of adding 
"badPublicKey", but keep the rest of PR 478 as is; I think it's a good 
idea to call out the need for a server to sanity check each 
client-supplied public key).

-- 
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited

v2.23.0 | Report a Bug | By Email