IETF Logo Mail Archive

Re: [Acme] Issuing certificates based on Simple HTTP challenges

Julian Dropmann <julian@dropmann.org> Tue, 15 December 2015 02:20 UTC

Return-Path: <julian@dropmann.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0C561AD36F for <acme@ietfa.amsl.com>; Mon, 14 Dec 2015 18:20:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D8AxJsH8b-9B for <acme@ietfa.amsl.com>; Mon, 14 Dec 2015 18:20:41 -0800 (PST)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6E001AD362 for <acme@ietf.org>; Mon, 14 Dec 2015 18:20:40 -0800 (PST)
Received: by mail-wm0-x22c.google.com with SMTP id n186so144996697wmn.1 for <acme@ietf.org>; Mon, 14 Dec 2015 18:20:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dropmann.org; s=dkim1; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=yI2IvLUKCIQvSTRf+On4b8geSfSDtRjK3oUy0Ru6ia4=; b=KKSuaZMn6KBu8r2wmehkwBegshGVto2YcG1nOnaewckf13KFDw6OrMq2e5H5DEaF/0 evmW26JBc7EGv9up39V6G+1OjkvBCOjKTYdec2EwJ2AcOUoZcXbXbFfnAd0vv//jLWlW JhwCh0ePoDQeT5637BM6AEX6r+bJk6UDSZiiE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=yI2IvLUKCIQvSTRf+On4b8geSfSDtRjK3oUy0Ru6ia4=; b=XgFEVGQlsvClLwqcrNkmtUjLDanfLmJFWYrYAlaCdV/d8jOrEs5NA8Impz/9tYaXFP nMrKa6IjGvMGDmDt0OTN/9Y4302T11aTjsinDfr46Uxh42kQN49kcq5NpkszCTuccq6J XG0nwnE1ffJ8p6ju1cm2IopHHDhGnWzCf9rGb7Rjj5BF0PB/fR4aWC2CM/cXFLFe+r0Q oHnXUKi1ROqBijHeFbagMlSJfACRzFKsj0UGnfU5Ln8K6T0L2euvViExv39DP/vZSkyR wOD7YeajKsojT6ngFRkGuRrELWsre0WboqOZjJbegaygB0YH0puWpidYEi8ilRn8r0a0 +2tA==
X-Gm-Message-State: ALoCoQmkCs0W6rz96CPsSr+B6PQ0uZkPx8p48EBsyxUIhZScFerJDM8Vh4aA0yk6bFFrwXXhDDhm7bMrNhYMOW7W0m/63XyQEQ==
X-Received: by 10.194.88.10 with SMTP id bc10mr6557584wjb.49.1450146039113; Mon, 14 Dec 2015 18:20:39 -0800 (PST)
Received: from ?IPv6:2003:4d:ec1e:4200:c02b:1abb:97ff:485f? (p2003004DEC1E4200C02B1ABB97FF485F.dip0.t-ipconnect.de. [2003:4d:ec1e:4200:c02b:1abb:97ff:485f]) by smtp.gmail.com with ESMTPSA id w141sm18599110wmw.24.2015.12.14.18.20.37 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 14 Dec 2015 18:20:37 -0800 (PST)
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <566F15DC.7090607@wyraz.de> <6B677A87-C6A0-485E-80DF-24960D585F46@coderanger.net> <566F2CB5.90402@wyraz.de> <89774336-0BA6-48FC-821D-1E8F3ED9AC14@coderanger.net> <566F4701.7050308@wyraz.de> <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net>
Mime-Version: 1.0 (1.0)
In-Reply-To: <F3DA31B1-B27C-4C63-8ED4-6D27D46FF282@coderanger.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <C2C239F2-E8A7-499B-BE52-3A48EA92B86D@dropmann.org>
X-Mailer: iPhone Mail (13C75)
From: Julian Dropmann <julian@dropmann.org>
Date: Tue, 15 Dec 2015 03:20:36 +0100
To: Noah Kantrowitz <noah@coderanger.net>
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/5oKNLXDtHMieTnNjfX8apcm7Mp0>
Cc: acme@ietf.org
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2015 02:20:43 -0000

The important difference is, that only zones which intent to use ACRE would create such an SRV record in the first place.
With the current design any A record host in the world can obtain certs. By using an ACRE specific SRV record the domain owner at has at least shown the intent to use ACRE for his zone. And also he could limit it to a specific port number/service on that host.
I think this would be a very huge security improvement, and of the verification quality in general, but only if this would not be an optional thing.

> On 15 Dec 2015, at 00:02, Noah Kantrowitz <noah@coderanger.net> wrote:
> 
> It wouldn't matter anyway because even with a SRV delegation for the challenge, the final cert is still issued against only a hostname, not a specific service. Combined with the fact that there are existing CAs that do a rough equivalent of http-01 and we can't expect that to go away any time soon, it isn't hard to see why pragmatism won out in the initial design. Fixing this for reals requires TLS-level protocol improvements for per-service certificates. Not against that, just saying you've got a long road ahead of you.
> 
> --Noah
> 
>> On Dec 14, 2015, at 2:47 PM, Michael Wyraz <michael@wyraz.de> wrote:
>> 
>> I thought about all the DNS stuff and came to the conclusion that focussing ssl certs for https only and ignoring all the rest may cause further security issues.
>> E.g. if I delegate http (via A-record or CNAME) to someone else, he can now create valid ssl certs for my mail server which I did not delegate. IMO A-record should be dedicated to http(s) (for legacy reasons, see http://stackoverflow.com/questions/9063378/why-do-browsers-not-use-srv-records) and all other services (inclusing ACME) should use their own srv records.
>> 
>> Looks like a decision between comfort and security - let's bet what will win...
>> 
>>> Fair, adding a DNS-level opt-out would be a reasonable addition for future iterations, but not a hugely pressing issue given the expected use cases.
>>> 
>>> --Noah
>>> 
>>> 
>>>> On Dec 14, 2015, at 12:55 PM, Michael Wyraz <michael@wyraz.de>
>>>> wrote:
>>>> 
>>>> So just leave out the part with "then switch completely from A to SRV" and allow both. This gives people the comfort to use A/CNAME stuff while others who prefer security use SRV. Both are happy, problem solved ;-)
>>>> 
>>>>> Using normal A/CNAME records matches the default use case of HTTPS a lot more smoothly and allows a lot of cool transparent upgrade stuffs from folks like DreamHost or Fastly that already do the CNAME setup as part of user on-boarding and can run http-01 on the behalf of the user to set them up on an SNI termination. If all the major CDNs did this, it would be worth the negative issues where HTTP is delegated to an untrusted service. If TLS ever grows per-service restrictions that would be appropriate here, but that is waaaay out of scope for ACME I would think :-/
>>>>> 
>>>>> --Noah
>>>>> 
>>>>> 
>>>>> 
>>>>>> On Dec 14, 2015, at 11:17 AM, Michael Wyraz <michael@wyraz.de>
>>>>>> 
>>>>>> wrote:
>>>>>> 
>>>>>> Julian,
>>>>>> 
>>>>>> the issue your described here is caused by the assumption that any the A-record points to a host that should be allowed to create certs for that domain. IMO a solution would be simple: use some special SRV record that points to a service that does the challenge. Allow users to set this record to something like "none" to completely disallow ACME-based cert generation. Use A-record as fallback for a given time (e.g. one year), then switch completely from A to SRV,
>>>>>> 
>>>>>> Problem solved ;-)
>>>>>> 
>>>>>> And it's almost as comfortable as using the A-record because it needs just one single additional step, no change of the client, absolutely minimal change to the server, no extra software or support for dynamic DNS updates or such.
>>>>>> 
>>>>>> As a side effect it solves many problems with ACME in complex environments like geo-distributed dns.
>>>>>> 
>>>>>> Kind regards,
>>>>>> Michael.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> Hello,
>>>>>>> 
>>>>>>> maybe I am just a naive concerned user, but in my opinion there is one major issue with the Simple HTTP challenge and possibly other challenges, specified by ACME:
>>>>>>> 
>>>>>>> Any host which is specified by an A/AAAA record of that domain zone can obtain trusted certificates in the name of the domain zone owner.
>>>>>>> Lets assume I host an private XMPP server using TLS on my own domain using an SRV record, and I point an A record to a third party hoster which hosts my public web blog.
>>>>>>> Now this third party hoster would be able to obtain signed certificates for my domain using ACME and use that to host an XMPP service on that domain using the standard port.
>>>>>>> Clients which trust that CA are now perfectly happy connecting to that entity.
>>>>>>> 
>>>>>>> By creating an A record I ofcourse need to trust that host to some degree, but I still would expect the CA to verify if the requester has control over the DNS zone itself an not just over a single service running there.
>>>>>>> 
>>>>>>> And consequently if it is valid to verify over HTTP, then maybe another CA validates the domain ownership by a mail service/MX record, and a third one over XMPP/SRV.
>>>>>>> 
>>>>>>> This effectively means, as a domain zone admin, I have to trust every single service I define, not just to properly deliver this service, but also not to exploit his ability to obtain signed certificates in my name.
>>>>>>> 
>>>>>>> Also you rely on the fact that on UNIX only root can bind on port 80 and 443. Lets assume there is an OS out there which does not enforce this restriciton,
>>>>>>> now any user on that host is able to obtain signed certificates for that domain.
>>>>>>> 
>>>>>>> Maybe I missed something here, but overall this seems to be a very bad idea to automatically issue certificates without requiring a change in the actual DNS zone the certificate is issued for.
>>>>>>> 
>>>>>>> Kind regards,
>>>>>>> Julian Dropmann
>>>>>>> 
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> Acme mailing list
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> Acme@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/acme
>>>>>> _______________________________________________
>>>>>> Acme mailing list
>>>>>> 
>>>>>> 
>>>>>> Acme@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/acme
>>>>> 
>>>>> _______________________________________________
>>>>> Acme mailing list
>>>>> 
>>>>> 
>>>>> Acme@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/acme
>>>> _______________________________________________
>>>> Acme mailing list
>>>> 
>>>> Acme@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/acme
>>> 
>>> 
>>> _______________________________________________
>>> Acme mailing list
>>> 
>>> Acme@ietf.org
>>> https://www.ietf.org/mailman/listinfo/acme
>> 
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email