IETF Logo Mail Archive

Re: [Acme] Mail regarding craft of hash for draft-ietf-acme-dns-account-challenge

Amir Omidi <amir@aaomidi.com> Tue, 06 February 2024 22:35 UTC

Return-Path: <amir@aaomidi.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7793C14F6FC for <acme@ietfa.amsl.com>; Tue, 6 Feb 2024 14:35:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aaomidi.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jgYPyinuNY3k for <acme@ietfa.amsl.com>; Tue, 6 Feb 2024 14:35:18 -0800 (PST)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1091C14F60E for <acme@ietf.org>; Tue, 6 Feb 2024 14:35:18 -0800 (PST)
Received: by mail-ed1-x536.google.com with SMTP id 4fb4d7f45d1cf-55fbbfbc0f5so2041732a12.0 for <acme@ietf.org>; Tue, 06 Feb 2024 14:35:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aaomidi.com; s=google; t=1707258917; x=1707863717; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=i50Sr6s1r6gfsjO40oAI929zd7ZbXZPCjay+LP+Lifk=; b=JBCN31B0brqp/Q/lhbsvEWhNZMpaBgXFl5yKqQ0kSE/tju9dJ2pf9DsiQIExNxPpq7 FgKULXwm/JFYFQz7hyd1pA8hJyMTimuBXAEMNz6xd6WCiKDjh6PP84/xz+0yyBFO8KMM FuXssnSNCT49pDOML8Vv8I8AbXTP/av5SUCLqWnTejhJ2IeaDDci0AbjVWOEUS4cAN7a R2p92mZwP3KMMdoYcj8nnTjxzWR7PKFAdRks10eyvIZBo9Je4E0DuAr4hHojZHLgB62o owkObQ8Ce8jC1f02HFfrfiWtacfdnpIfgHtzIfG0Yqny/FAio9+Y6Ln24B4ZrzbW1qzK OR/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707258917; x=1707863717; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=i50Sr6s1r6gfsjO40oAI929zd7ZbXZPCjay+LP+Lifk=; b=Sj6BA+e/GUdY0/wMlr+u4DTowhXcqJ2CQcbvYZejm1Mub/5s87IslsVMClVAJSSMkj Yn+jccQuX+mwVqjrZDER39Rc71IJlGXSxVzt1P8Qb5Tu/eRSSi9njVHSJH1GfFBsq03e 37EyDpESHLlsae6F9AjSCQI85yHNPjigc5CJSb824TILhDbGeLw0XevXmz9bYAiOsr+7 ZDaNxGCD3VJjs/XaQriTXoRWxi1h3lS/9f3DTrF6lSiktV3qNKPbqkWfGLQSY52kIMqB GuJU53R75fGuagl0LtUr1iGqoJHrFQAXqBnZ0InMYJ6xXBiRzylETAH7aTwpPNx7sEcK 1FRQ==
X-Forwarded-Encrypted: i=1; AJvYcCWCnXnluTL2VWj47VnR/n6umMOUjvcaSaXVfelJnSqAQhWt9uxLWRzzjPCcaN0cgQwlYSJ/urht6klDcZcJ
X-Gm-Message-State: AOJu0YzDq1XSMZaSs6ZHzQKrKwNINOpjrXotHMaluerZb4EMNQwc715c S1EZsjLrbmitsx38fLQAxBIXpCM02zDovuvSiA1u3f+4aeAsAOnjWDGY9I1mS0S2e4PdV4Gqr86 y6jxQZXUnNpdof1coDWNWKxKv/zjBZl16D2fUgnq3DmYjEom0
X-Google-Smtp-Source: AGHT+IHYdRxcVhVKzA7U5Sp0T0XDOHcAx6jwO7buM00O3pg8oXveyqUcoes8nNqn7Fxli9KQpHYK03XZ0JuQ7sLix5Y=
X-Received: by 2002:a50:955a:0:b0:55f:ccb4:ec84 with SMTP id v26-20020a50955a000000b0055fccb4ec84mr11062061eda.1.1707258916643; Tue, 06 Feb 2024 14:35:16 -0800 (PST)
MIME-Version: 1.0
References: <31b872f6-2ced-41b3-b22c-58ae89058570@gmail.com> <CAOG=JULrdnk4wYBKB-pfY4kXK=fF=ODi6PZ3wEj=zn7B4=nZXQ@mail.gmail.com> <ab7caac8-52b8-4416-9083-fe8533d51ec4@gmail.com> <CAOG=JUJvhTfN8b_giddEN0wH+3mf2Fh0j6FNij=qg=AXj+zzSA@mail.gmail.com> <CAEmnErfLN6cN21_-pJPb-d7u+tPCd1Dw97d-GmDzFm9wfT4d=w@mail.gmail.com>
In-Reply-To: <CAEmnErfLN6cN21_-pJPb-d7u+tPCd1Dw97d-GmDzFm9wfT4d=w@mail.gmail.com>
From: Amir Omidi <amir@aaomidi.com>
Date: Tue, 06 Feb 2024 17:35:05 -0500
Message-ID: <CAOG=JULpYmjjfa=7m=L7keKHham+6P1BH7c+pXFzAmJXzK-bQQ@mail.gmail.com>
To: Aaron Gable <aaron=40letsencrypt.org@dmarc.ietf.org>
Cc: Seo Suchan <tjtncks@gmail.com>, acme@ietf.org
Content-Type: multipart/alternative; boundary="000000000000443d250610be31e3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/9XNDMqCCvBEwsjeJzBfIOi5DfsM>
Subject: Re: [Acme] Mail regarding craft of hash for draft-ietf-acme-dns-account-challenge
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2024 22:35:23 -0000

We are using the `kid` value. And from my understanding in the ACME spec,
when a client is responding with a POST request to the challenge URL, the
KID is included in that JWS payload.

That's the KID that should be used for constructing the validation domain.

On Mon, Feb 5, 2024 at 12:22 PM Aaron Gable <aaron=
40letsencrypt.org@dmarc.ietf.org> wrote:

> And I think the implication here is that, if an ACME server responds on
> multiple URIs and reflects those multiple URIs back to the client in the
> Location header, then that server must also support hashes of those
> multiple URIs when conducting DNS-ACCOUNT-01. Does that make sense?
>
> Aaron
>
> On Sat, Feb 3, 2024 at 1:18 PM Amir Omidi <amir=
> 40aaomidi.com@dmarc.ietf.org> wrote:
>
>> No, the accountURL/URI that new-account returns is the only authoritative
>> path. I'll make sure that it is spelled out in the RFC. If an acme client
>> has an account key, it can use the method described here:
>> https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.1 to find the
>> accountURL for that account.
>>
>> Since ACME does not define "what the ID part of an accountURL is", I'm
>> much more inclined on just keeping the entire accountURL as the ID to be
>> hashed for the challenge label.
>>
>> On Sat, Feb 3, 2024 at 3:59 AM Seo Suchan <tjtncks@gmail.com> wrote:
>>
>>> if it's stable but has multiple valid path (ex: acme-v1.ca.com and
>>> acme-v2.ca.com) , would server need try for both subdomain and lookup
>>> every possible valid path?
>>> 2024-02-03 오전 1:35에 Amir Omidi 이(가) 쓴 글:
>>>
>>> From my understanding, under ACME we treat that entire accountURL as the
>>> userID. So I think that URL will need to be stable.
>>>
>>> On Fri, Feb 2, 2024 at 2:36 AM Seo Suchan <tjtncks@gmail.com> wrote:
>>>
>>>> for some ACME servers they have multiple allowed acme endpoint domains,
>>>> and server doesn't know what domain name client used to access its API
>>>> duce don't have full accounturl that used to craft challenge subdomain:
>>>>
>>>> like boulder (what Let's encrypt uses) allows to accessed from mulitple
>>>> path ex:
>>>>
>>>> "accountURIPrefixes": [
>>>> "http://boulder.service.consul:4000/acme/reg/",
>>>> "http://boulder.service.consul:4001/acme/acct/"
>>>>          ]
>>>>
>>>>   , and pebble and smallstep do not have host in config but allow any
>>>> ip
>>>> or domain pointed to them and reflect them to create link to
>>>> account/order/ect
>>>>
>>>> would only using userid part of accountURL (ExampleAccount) from
>>>> https://example.com/acme/acct/ExampleAccount have problem? while it's
>>>> trivial to extract from hash to accounturl as accountID was
>>>> autoincrementing counter, but was there are so few large acme provider
>>>> it was trivial to make rainbow table anyway.
>>>>
>>>> _______________________________________________
>>>> Acme mailing list
>>>> Acme@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/acme
>>>>
>>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
>>
>

v2.23.0 | Report a Bug | By Email