Re: [Acme] Want client-defined callback port

Peter Eckersley <pde@eff.org> Thu, 23 April 2015 02:34 UTC

Return-Path: <pde@mail2.eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3D3A1B2DEA for <acme@ietfa.amsl.com>; Wed, 22 Apr 2015 19:34:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1sH9WwTw3zRV for <acme@ietfa.amsl.com>; Wed, 22 Apr 2015 19:34:01 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD84F1B2DE5 for <acme@ietf.org>; Wed, 22 Apr 2015 19:34:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=In-Reply-To:Content-Transfer-Encoding:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=DS2gDmqTpZg/2l+xwQb9Wbv76nXtHVsAakV8KAZ6MSw=; b=FxwocD4Ns0k+qe/0MMcfwG990mLAHfxqPZhAGDnuLo11pq7AZO2iI7f0Jnh8BLQL+rN4ZYcxWVkOm8FsF8/UwjbD2TmLYTaUWzlGbcft+p8L6H7RuJLcGAl4iqlVMgG2qCR9wsZiRTrxgqyavGj9y/3ifIYX8LaGdec73DoWGr4=;
Received: ; Wed, 22 Apr 2015 19:33:58 -0700
Date: Wed, 22 Apr 2015 19:33:58 -0700
From: Peter Eckersley <pde@eff.org>
To: Richard Barnes <rlb@ipv.sx>
Message-ID: <20150423023358.GW27613@eff.org>
References: <352DA5FE-AC6F-49A7-8F9F-70A74889204F@apple.com> <CAK3OfOjey4bk02qC_jj2c0AzZ54qnP=KAJnG=mXnO6A5gZ4m9g@mail.gmail.com> <CAL02cgQ94ijVrCM9SStcodRW+XSG2w5Zwu3+ny8HriDBnxjdtg@mail.gmail.com> <FF21526F-BA8D-4F54-AAE3-047632706668@apple.com> <CAL02cgSDk0TNYusEkXA3onmqF7=kaAWhHjpW8WjbiqxgQMdQwQ@mail.gmail.com> <555F6C74-2416-4893-BDEA-A3C2E55A6D57@apple.com> <16985cf1c8c444c48d328fa766ec5ff8@usma1ex-dag1mb2.msg.corp.akamai.com> <DE264105-7317-4343-BCEE-539A73D42544@apple.com> <CAL02cgTv5Zi4wP0gJPvcrty6N96pAaLRkCveyvMNfoyjQrrEyw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAL02cgTv5Zi4wP0gJPvcrty6N96pAaLRkCveyvMNfoyjQrrEyw@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/8M3X34MCEqyUUeuZLK0YvPjoNLg>
Cc: "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>, Bruce Gaya <gaya@apple.com>, Nico Williams <nico@cryptonector.com>
Subject: Re: [Acme] Want client-defined callback port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2015 02:40:20 -0000

On Wed, Apr 22, 2015 at 06:10:13PM -0400, Richard Barnes wrote:
> On Tue, Apr 21, 2015 at 10:53 PM, Bruce Gaya <gaya@apple.com> wrote:

> > I agree that client access to ports below 1024 usually requires more
> > privileges and that’s generally safer than allowing any client port.
> >
> 
> So would you be OK with the spec saying that the server MUST reject
> client-specified ports that are greater than 1023?
> 

I'd support adding a mechanism to ACME to run one of the available
challenge types on a non-443 but privileged port, if the client needs it
for practical reasons (whether Let's Encrypt should use that mechanism
is a different question, of course).

It seems to be a bad idea to leave the choice of privileged port up to
the client, or even up to the client but constrained by a short
blacklist (Martin Thompson's suggestion).  The problem is that there is
an enormous diversity of software deployed on privileged ports, and it's
very hard to tell when some of that software might be trickable by
remote attackers into responding in a way that causes a Challenge to
succeed.

So the CA should have a policy of only allowing validation on perhaps
0-2 of the other ports below 1023, with that choice backed by fairly
thorough research, and then the question will be how the client knows
the CA's policy, and which port it should try to ask for.

Perhaps those policies can be stored out of band, or perhaps we can add
a separate REST API endpoint where clients ask what ports the server
considers acceptable for DV Challenges.

-- 
Peter Eckersley                            pde@eff.org
Technology Projects Director      Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993