Re: [Acme] Threat model for claiming domains
Rob Stradling <rob.stradling@comodo.com> Mon, 22 December 2014 10:43 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2CE01A8A5A for <acme@ietfa.amsl.com>; Mon, 22 Dec 2014 02:43:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pe-1loxyVf5w for <acme@ietfa.amsl.com>; Mon, 22 Dec 2014 02:43:17 -0800 (PST)
Received: from mmextmx2.mcr.colo.comodoca.net (mmextmx2.mcr.colo.comodoca.net [IPv6:2a02:1788:402:c00::c0a8:9cd6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D33851A8A51 for <acme@ietf.org>; Mon, 22 Dec 2014 02:43:10 -0800 (PST)
Received: (qmail 17432 invoked by uid 1004); 22 Dec 2014 10:43:07 -0000
Received: from ian.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.202) by mmextmx2.mcr.colo.comodoca.net (qpsmtpd/0.84) with ESMTP; Mon, 22 Dec 2014 10:43:07 +0000
Received: (qmail 20884 invoked by uid 1000); 22 Dec 2014 10:43:07 -0000
Received: from and0004.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Mon, 22 Dec 2014 10:43:07 +0000
Message-ID: <5497F5BB.9030002@comodo.com>
Date: Mon, 22 Dec 2014 10:43:07 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Richard Barnes <rlb@ipv.sx>
References: <CAHOTMVJdf8mQ-8_-ocHpfUA+N9v-S5VsBWgOVp1aFwDaWp3d0Q@mail.gmail.com> <CAL02cgSvc1sO-iH3J_c4f=A2CspKwG686DaSUC1JKLD4GRy__w@mail.gmail.com>
In-Reply-To: <CAL02cgSvc1sO-iH3J_c4f=A2CspKwG686DaSUC1JKLD4GRy__w@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/7mGFSC7vb2QoKJGnTjDSat1ChJM
Cc: acme@ietf.org
Subject: Re: [Acme] Threat model for claiming domains
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Dec 2014 10:43:29 -0000
Hi Richard. This pdf has some more details on Comodo's other domain validation methods... https://secure.comodo.com/api/pdf/latest/Domain%20Control%20Validation.pdf On 20/12/14 00:25, Richard Barnes wrote: > Hey Tony, > > I just got around to thinking about this for a moment. Obviously, our > baseline here should be whatever the CAs are doing today, since we have > empirical evidence that those methods are more or less OK. I did a > quick and dirty empirical survey of the top few CAs this afternoon: > > https://docs.google.com/a/ipv.sx/document/d/1KVKIS6abA2KL-yHvFsMql6U3qUjVhgO6p19Hzci0vQo/edit?usp=sharing > > For the most part, they rely on sending an email to either the > registered WHOIS contact, or something like admin@domain. GlobalSign > supports validation based on a DNS record or a <meta> tag in index.html. > > With regard to your concern about services colocated on the same IP > (presumably for simpleHttps and DVSNI validation): This seems to mostly > be addressed by not allowing the ACME client to specify the port that > the ACME server connects to. That means that the attacker has to > control not only something on the box, but the default port for HTTP or > HTTPS. If that's not the case, normal routing based on the Host header > or SNI should ensure that the validation request goes to the right place. > > Nonetheless, I agree that more analysis would be useful, across all the > validation methods. > > --Richard > > > On Mon, Dec 1, 2014 at 7:33 PM, Tony Arcieri <bascule@gmail.com > <mailto:bascule@gmail.com>> wrote: > > Is there a published threat model for claiming domains? I haven't > been able to find it, but I'd certainly like to read it! > > If we simply accept a service running on the same IP that a given > DNS name points to, there seems ample opportunity to register > certificates for services colocated on the same IP. > > -- > Tony Arcieri -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
- [Acme] Threat model for claiming domains Tony Arcieri
- Re: [Acme] Threat model for claiming domains Richard Barnes
- Re: [Acme] Threat model for claiming domains Rob Stradling
- Re: [Acme] Threat model for claiming domains Richard Barnes
- Re: [Acme] Threat model for claiming domains Peter Bowen
- Re: [Acme] Threat model for claiming domains Rob Stradling
- Re: [Acme] Threat model for claiming domains Phillip Hallam-Baker
- Re: [Acme] Threat model for claiming domains Richard Barnes
- Re: [Acme] Threat model for claiming domains Bernd Eckenfels
- Re: [Acme] Threat model for claiming domains Rob Stradling