[Acme] Re: Potential issues with dns-persist-01
Seo Suchan <tjtncks@gmail.com> Fri, 17 April 2026 12:09 UTC
Return-Path: <tjtncks@gmail.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 59790DE39A38 for <acme@mail2.ietf.org>; Fri, 17 Apr 2026 05:09:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776427793; bh=pq2UczfiO3LRnUb1cqngKH3wt1GUsoTzbkSNSEv7LV8=; h=Date:From:To:Subject:In-Reply-To:References; b=cL2TjVzJNhWlJ0BjM/90vReQHkDKYZghKRwcQCsbBXcCy/uSVvT85W97WvYaR89qK sL1HTIHqCB/LX86BRRHwjDUA/Z2QQGPzOTe5llq88v3trwPCDGiGAhUUmNqwH9v53c J6oGoVPT+Ne0SyU62GQVmFprqk2e/uXjmDZ5PKd8=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -0.597
X-Spam-Level:
X-Spam-Status: No, score=-0.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ipwWFw0VFW_q for <acme@mail2.ietf.org>; Fri, 17 Apr 2026 05:09:52 -0700 (PDT)
Received: from mail-yx1-xb134.google.com (mail-yx1-xb134.google.com [IPv6:2607:f8b0:4864:20::b134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id CB3CDDE39A30 for <acme@ietf.org>; Fri, 17 Apr 2026 05:09:52 -0700 (PDT)
Received: by mail-yx1-xb134.google.com with SMTP id 956f58d0204a3-651c3212b0bso409875d50.1 for <acme@ietf.org>; Fri, 17 Apr 2026 05:09:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776427792; x=1777032592; darn=ietf.org; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:user-agent:subject:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=EpwZ62MhI6YW7EGIcWhMuTbH6keogV+l0btsf/4ex7M=; b=aZPeAcjJ+GTxZtvQvbNFZRxrk8y2ASaJlm+z/mxQ4+mspEwxFK/EzMtcpaW4dNUI6Z GuVkvxRyclPPKW1WlbaVUZtiaf3NOg0Team/VyPua2pIGAYBr9+jlEnVVkCn9TlttEDk 5YNliSlbYsbYYAZpVcapdNcFT0Z29UWcGv8SuEl5qRtSFa2SRaBstuQLkGlXyOyFYYNZ UDY9mPiTBnGb9TYScvSV1XVDYXtE4GmfgE8vnK0k6RR7pJgCIpvULppjGcjpbqxtgFxT RP+Ee5Tk3iSrlRptFcjiX7HlV9VSsxR60S8dDfWkJBQ0tSLKJKj4RAJjHvDRfwQehoQ/ TAKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776427792; x=1777032592; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:user-agent:subject:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=EpwZ62MhI6YW7EGIcWhMuTbH6keogV+l0btsf/4ex7M=; b=Tg35tN5dN1Uj49otdMr08p/VzCDktHlYMHfL0YBVGKyFALbRtAim41xreXJsCzs/M9 6g3SWBgi+ZnpFajIJMAyTyIzwcoPZfKYv2gOsrWASfjwyjbBJKcHL/NnUPAGEgsSK2QL JRtGneuLGqpMDQIaAFmYa2GDHjVjBXhcgVmwkjQrueQCqOPy64QdCIJvPUcb/G9pAz9G dx7AhT67WO8x/tQnxtd8D26sIElJHDUYpvuPTIfQlCnIu+1iYsUNI1BPEVh+MPVY3/XE 9Sh+FE2Wl/i1GercriB7urujW41s4WbKYpfjZyC8uuEfam5Urj2xbSd6CllBuYI3jHrS KOGw==
X-Gm-Message-State: AOJu0YzU4Dw/87hBR5upZRA9h+JwHXzozC7leUWnSy4wTyUyoIvATnzt Z96vvjwkj5prJ8psx6oeTueMGE17JZcmPmnOFmgCUpKlh7km+q+GtMprANsIhQ==
X-Gm-Gg: AeBDievL0vMTPs6Pp/zY74noOc+2gIstAXrftB390Ob7TQgjXbBFFYWgyqofu1KFp1F kNIS5vja0uEPIJw1BHqHE7bbtlt18Fot+50FNmCqWhC0NDKKA/6HS9m7Mt3ZDX7Bgpju7CwzGFu VBpmDk9jfHipyoCT/7cVH89pOtA90A/gXRyRqHtz5g++UxWLxDUCWCaIHTEWhEeTDbRkTn7Usuf g+6CDnW/e1ZM+APS8832Q1Q2gtFN4WNgpG9iBJiaa+bOLOQJy36FrjBHQUQtzZofV6PfPxQdzgV VPGTAszPsL+hM7le0CI9tMSXK4ItLbWBvdCFAUHtvcL23c+SEQm8zu1OJR4kL4DFMhgzwENzUMB JktTSC+xFqDcfYOCwBBfIJpYzr3QFDiYywtiTDbwcK7MBYny5/s3f+l56N/A8+zQ0hj6bpOXffT A/OgognuaUi0g6G7o2V6Mz6Osn2KE7s9oKk0ACMnqM9CABaroLCagal6r0
X-Received: by 2002:a53:d017:0:b0:651:b73b:251a with SMTP id 956f58d0204a3-6531058d034mr1996918d50.0.1776427792073; Fri, 17 Apr 2026 05:09:52 -0700 (PDT)
Received: from ehlo.thunderbird.net ([2406:5900:1038:15ba:ad9c:8caa:ec33:807a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-65314e328d6sm600863d50.11.2026.04.17.05.09.50 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Apr 2026 05:09:51 -0700 (PDT)
Date: Fri, 17 Apr 2026 21:09:46 +0900
From: Seo Suchan <tjtncks@gmail.com>
To: acme@ietf.org
User-Agent: K-9 Mail for Android
In-Reply-To: <0548587B-B211-4BC9-8F4F-51F30EC555E0@heurich.com>
References: <CAFg2froJTxp+kT_VdSuNs9LVqFQhO-WJZBt=-qoVQO9c8M+=Xw@mail.gmail.com> <CAEmnErdOBBzj+5nuZBYo0zN64zMXDeX-3sdcFBQqJirmHky2gA@mail.gmail.com> <0548587B-B211-4BC9-8F4F-51F30EC555E0@heurich.com>
Message-ID: <EDFCDF8C-28C2-42E9-8A22-0583BEF60DD9@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----JOWGWM0N1SWVG986Y37JBI7LH92FG9"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: N5TPXGFT3X5YKBVJHF6VDNGIQRTAH5LN
X-Message-ID-Hash: N5TPXGFT3X5YKBVJHF6VDNGIQRTAH5LN
X-MailFrom: tjtncks@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: Potential issues with dns-persist-01
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/8J7Sm_dThWPSHIcM9x9rtO_tNWg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>
How hard for an ACME CA to remember every public keys an account was/is tied to? On 2026년 4월 17일 오후 8시 39분 42초 GMT+09:00, Shiloh Heurich <shiloh=40heurich.com@dmarc.ietf.org> 작성함: > >> On Apr 6, 2026, at 14:40, Aaron Gable <aaron=40letsencrypt.org@dmarc.ietf.org> wrote: >>> On Sat, Apr 4, 2026 at 6:47 PM zandoodle <maxoscarhearnden@gmail.com> wrote: >>> • An attacker sets up an ACME server and convinces the client to use it, the client is then provided the attacker's ACME account on the CA's domain and instructs the client to setup dns-persist-01 under the attacker's account. >>> • An attacker sets up an ACME server and convinces the client to use it, the client is then provided the attacker's ACME account for the attacker's domain and instructs the client to setup dns-persist-01 under the attacker's account. This requires that the certificate authority allows accounts to be created under the attacker's domain e.g. creating the account under the domain in the Host header field as done by Let's Encrypt. >> >> A few notes here: >> >> First, these two scenarios are essentially identical. In both of them, the attacker is merely providing an attacker-controlled account URI to the victim client, to get them to populate it in a DNS record. The only difference with the second scenario is that the victim client operator would see that their directory URL and account URL have the same domain name, and might be less likely to notice that something weird is going on. >> >> Second, the second of these scenarios doesn't actually work, at least not against Let's Encrypt. Although we reflect the Host: header in API responses, we only respect the canonical AccountURI for the purpose of CAA and dns-persist-01 accounturi=. A client that populates a TXT record with `accounturi=malicious.ca/acme/acct/12335` would not be able to complete validation. >> >> Finally, the fundamental threat model here was already considered and mitigated in RFC 8555. One can imagine a similarly-positioned malicious ACME proxy-esque server which intercepts an HTTP-01 challenge and replaces the `token` with one of its own. However, the attacker still can't get the victim client to successfully complete validation because the necessary value presented by the client to complete the challenge consists of two pieces of information: the token (provided by the server) and the Key Authorization (computed directly by the client). The victim client can't be fooled into computing a Key Authorization for the malicious proxy's key. >> >> So the solution here is to do the same. The dns-persist record should contain a piece of information computed directly by the client, rather than merely provided by the (potentially malicious) server. So I agree with Sebastian's suggestion that the record format should support an `accountkey=` parameter. > >Your analogy to the http-01 token substitution is correct. In the standard challenge flow, the dns-persist record contains no client-computed cryptographic material, so the same class of attack applies. RFC 8555 §10.2 describes this pattern formally and explains why Key Authorization was designed to prevent it. The draft should address this. > >Pre-provisioning is a different story and the thread hasn't raised it. In that flow there's no challenge object. The client constructs the record from its own account URL (the §7.3 Location header) and the `issuer-domain-name` from directory metadata or the CP/CPS. No server-provided value to substitute. This is the primary deployment model for the enterprise and multi-tenant cases the draft targets. > >The harder problem is that persistence and key binding work against each other. Key Authorization works for http-01 and dns-01 because those values are ephemeral: provision, validate, remove, rotate the key freely. A persistent record containing Thumbprint(accountKey) means every key rotation (§7.3.5) invalidates every dns-persist record across every domain on the account. For subscribers with hundreds or thousands of domains, that defeats the purpose of a persistent method. The draft chose accounturi because it's stable across rotations. > >Persistence, cryptographic key binding, key rotation support: pick two. That's the core tension. > >I see three options, roughly by disruption level: > >(a) Strengthen client verification within the current design. Upgrade the §3.1 SHOULD to MUST when the client knows its own account URL. Add explicit security analysis of the missing dual-channel binding and the rationale. Qualify the "strong binding" language in §7.2. > >(b) Add an optional accountkey= parameter carrying base64url(Thumbprint(accountKey)), always self-computed by the client. When present, the CA verifies the thumbprint matches the current key. Restores dual-channel binding when used, but clients accept that rotation means updating DNS records. The forward-compatibility rule (MUST ignore unknown parameters) means existing implementations won't enforce it, so this only helps against CAs that opt in. > >(c) Sebastian's pubkey: scheme in accounturi. Max already noted the problem: a malicious server can tell the client its accounturi is pubkey:<attacker-thumbprint>. Always-self-compute as a mitigation requires the client to distinguish pubkey URIs it should compute from regular URIs it should provision as-is. That seems fragile. > >I'd go with (a) for -02, possibly (b) as a follow-on. But the real question for the WG is whether the pre-provisioning distinction is sufficient, or whether the standard challenge flow needs cryptographic binding even at the cost of rotation compatibility. > >Shiloh >_______________________________________________ >Acme mailing list -- acme@ietf.org >To unsubscribe send an email to acme-leave@ietf.org
- [Acme] Potential issues with dns-persist-01 zandoodle
- [Acme] Re: Potential issues with dns-persist-01 Seo Suchan
- [Acme] Re: Potential issues with dns-persist-01 Sebastian Robin Nielsen
- [Acme] Re: Potential issues with dns-persist-01 zandoodle
- [Acme] Re: Potential issues with dns-persist-01 zandoodle
- [Acme] Re: Potential issues with dns-persist-01 Aaron Gable
- [Acme] Re: Potential issues with dns-persist-01 Sebastian Robin Nielsen
- [Acme] Re: Potential issues with dns-persist-01 zandoodle
- [Acme] Re: Potential issues with dns-persist-01 zandoodle
- [Acme] Re: Potential issues with dns-persist-01 Sebastian Robin Nielsen
- [Acme] Re: Potential issues with dns-persist-01 Sebastian Robin Nielsen
- [Acme] Re: Potential issues with dns-persist-01 zandoodle
- [Acme] Re: Potential issues with dns-persist-01 Sebastian Robin Nielsen
- [Acme] Re: Potential issues with dns-persist-01 Shiloh Heurich
- [Acme] Re: Potential issues with dns-persist-01 Seo Suchan
- [Acme] Re: Potential issues with dns-persist-01 Shiloh Heurich
- [Acme] Re: Potential issues with dns-persist-01 Shiloh Heurich
- [Acme] Re: Potential issues with dns-persist-01 Sebastian Robin Nielsen
- [Acme] Re: Potential issues with dns-persist-01 zandoodle
- [Acme] Re: Potential issues with dns-persist-01 Shiloh Heurich
- [Acme] Re: Potential issues with dns-persist-01 Aaron Gable