IETF Logo Mail Archive

Re: [Acme] Please consider adding server authentication

"Salz, Rich" <rsalz@akamai.com> Mon, 22 October 2018 19:03 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34043130E83 for <acme@ietfa.amsl.com>; Mon, 22 Oct 2018 12:03:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.171
X-Spam-Level:
X-Spam-Status: No, score=-1.171 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, KHOP_DYNAMIC=1.999, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mshiWVZpdGH6 for <acme@ietfa.amsl.com>; Mon, 22 Oct 2018 12:03:40 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C05B4130F11 for <acme@ietf.org>; Mon, 22 Oct 2018 12:03:40 -0700 (PDT)
Received: from pps.filterd (m0122333.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.23/8.16.0.23) with SMTP id w9MIv8FB018183; Mon, 22 Oct 2018 20:03:40 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=V3SR3kpiiW/y1K58hN2kg0b7tOa7iMaA+WFYVk2PuGI=; b=mHXXlR1O1HFFdroznmEMsef00ZWMt1WVF4bnwr/K9v0nXiXB57ss//owzEm4j0HZbVnU agqz8f1ldCf17/yUT/8tKdS0NwQKUszpNBs47Ttvjcy6vyqk7mc3C1APU3IYZrys6q+z ImjwhUQoj1ktXtcd1PZkbv5bQ3sbIDFJnACFTWpvjRoVhzaXn+r0aqCGfY9Bd9WWYAid DoWEYS2JCZx4N2555Jp2qVJaJVHoGCqrWvKKDcHumwkDtTim7hOg1LNmyTqzs7qe/6lz LINbm5mtWHPYWSCxkL3UgUUbQidsiLlvxQPUB7A9Go8SFgNezRm1xXJKgBaJIlyNzXo5 8g==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18]) by mx0a-00190b01.pphosted.com with ESMTP id 2n7um5pyen-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 22 Oct 2018 20:03:39 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w9MInw6b017719; Mon, 22 Oct 2018 15:03:38 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.32]) by prod-mail-ppoint1.akamai.com with ESMTP id 2n7ypv9gns-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 22 Oct 2018 15:03:38 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag3mb3.msg.corp.akamai.com (172.27.123.58) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Mon, 22 Oct 2018 15:03:37 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Mon, 22 Oct 2018 15:03:37 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1365.000; Mon, 22 Oct 2018 15:03:37 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Kas <kas@lightc.com>, Richard Barnes <rlb@ipv.sx>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] Please consider adding server authentication
Thread-Index: AQHUafc9y42byirhyUWD5OeBBt2Dh6UrekEAgAAXdYCAAAe8AIAABGMA///S+ACAAE0NAP//xluAgABX/YD//8O9AA==
Date: Mon, 22 Oct 2018 19:03:37 +0000
Message-ID: <A143BB6D-1A93-4BBC-9503-50D880D0C916@akamai.com>
References: <1b7ac56a-0eac-bb05-5eed-5cee50d6c6b6@lightc.com> <CAL02cgTCwzF0Vh6ExRBMVyJN5e6x0w=JOfYrVMaOGspZTM2uVQ@mail.gmail.com> <a8824bcb-9984-23e9-5236-8d3b55c021e8@lightc.com> <CAL02cgQXpaVLbuZzi6mMmPWheqAh70gDcrHOjj8jwUNPb0ioBg@mail.gmail.com> <cc5944d0-2fb8-aea8-ceda-b9f7b44fe9da@lightc.com> <0762A613-3842-4E85-81E2-AF773E348D48@akamai.com> <665beada-fb8b-cfcd-43d0-69edf7a9f647@lightc.com> <CDA9CE0D-3BCF-4F9D-9B56-9043CB8845FC@akamai.com> <bafa7cfe-695d-e21b-6974-07ec7d253b46@lightc.com>
In-Reply-To: <bafa7cfe-695d-e21b-6974-07ec7d253b46@lightc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.12.0.181014
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.37.136]
Content-Type: multipart/alternative; boundary="_000_A143BB6D1A934BBC950350D880D0C916akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-10-22_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810220160
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-10-22_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810220162
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/4PCb8H0RhFAp3D7MLTM20YywpgI>
Subject: Re: [Acme] Please consider adding server authentication
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2018 19:03:49 -0000

  *   I am not trying to raise an issue

Yes, that is exactly what you are doing.  Raising an issue for discussion.  It’s just the terminology we use.


  *   Acme server is CA server and shouldn't need a root store to be validated or trusted, that root store can be easily manipulated even by a software, even without locally manipulation the MitM can issue a certificate to the client by simply hijacking the connection and having certificate issued by trusted CA, and the client will validate and trust that certificate.

I thought you were concerned about client’s being attacked by MiTM?

At any rate, you didn’t waste anyone’s time.  Open discussion is the purpose.

v2.23.0 | Report a Bug | By Email