Re: [Acme] Obtaining the Tor hidden service descriptor for draft-ietf-acme-onion
Seo Suchan <tjtncks@gmail.com> Wed, 18 October 2023 02:27 UTC
Return-Path: <tjtncks@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC7F1C1519BD for <acme@ietfa.amsl.com>; Tue, 17 Oct 2023 19:27:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.592
X-Spam-Level:
X-Spam-Status: No, score=-1.592 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_TEMPERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H32fAhC9eS4D for <acme@ietfa.amsl.com>; Tue, 17 Oct 2023 19:27:22 -0700 (PDT)
Received: from mail-oa1-x32.google.com (mail-oa1-x32.google.com [IPv6:2001:4860:4864:20::32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1C29C1519B1 for <acme@ietf.org>; Tue, 17 Oct 2023 19:27:07 -0700 (PDT)
Received: by mail-oa1-x32.google.com with SMTP id 586e51a60fabf-1e12f41e496so3921814fac.3 for <acme@ietf.org>; Tue, 17 Oct 2023 19:27:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697596026; x=1698200826; darn=ietf.org; h=in-reply-to:autocrypt:from:references:cc:to:content-language :subject:user-agent:mime-version:date:message-id:from:to:cc:subject :date:message-id:reply-to; bh=x/OFrZydyvkQHu6l0MFe/8xP8ZvrarLa7sIDbA47u7o=; b=NfHb9jWwayphnefH+lotMLUVhIa6aRs2BWHTcHx4wWBowH3LcgT6SXxUrVJYRQCyvh vaFxa5q+xd6OMGAleXJU+pN4svIV2HKiNhWMCsft+6PGqBXLC5ngt2IHKGvxhc4ZlUm6 LzFqacKsOpXOv7ENTE8ztb/jtp5PbFZ47RdiINBeFdOt4TB+LVzadbz4FVsJ07WZD3Op R/SLLiYLZPnUxig7cMbxLKll9u5oz6g12o7/h0E/Eq+VWQ0R48fLVEyZjutDQ5LwNex2 5GvXbP7yp3G5fqkvqtSCIg+DyBnxi9hb7CVrG2NIGDl7oAUT67ekK+nhkdUSOl+hDKFk LaHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697596026; x=1698200826; h=in-reply-to:autocrypt:from:references:cc:to:content-language :subject:user-agent:mime-version:date:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=x/OFrZydyvkQHu6l0MFe/8xP8ZvrarLa7sIDbA47u7o=; b=HZLk+NedAXF1EqsyuWOxXFLBCPjA4KaF/HxK/86rjONiVD2z6jeXM656NAdR782m2X WluUq+uyqXUVOpAgLiLLe+kXFuYoubcXdAubs4k4n3f9oIW1t0HD68eCi1VimgH+fzcO H3CMD9v6IDcaH5wGeEtS7Qc0T1Df6MQ2nwpJ23jgojYt2vi4+eLi+AKUppRz0fA+QZjr 8OQ7QVQjI6C4DcMc0G3tlUHrNhk3HtB0LzLTTqpKxEdkemFk/C/SzoVGmPITOD2r7fW4 z5k4PisJFbv9pUnUj7k00X/xttwRKtweVqEINc8MdrcBY+76jwn8y6kJg34+EF4LzoTj O87w==
X-Gm-Message-State: AOJu0YxZedfPRoomMjspIDdeg/s8NOQvfw17B4zAL/N6YRDyM9fGvELM Upe9fnLYDQ2dCBAPel6ZmFnTUS1ZBsBLw/jDW28=
X-Google-Smtp-Source: AGHT+IH3wBw3fqOkvcBxKULi5mpbAWNUAaSxJ0KLgs2eyIYyJ6p4wevepYJ20AmnJ1v0FPy0z0F5ug==
X-Received: by 2002:a05:6870:6b97:b0:1e9:fc64:14b4 with SMTP id ms23-20020a0568706b9700b001e9fc6414b4mr4342674oab.33.1697596026120; Tue, 17 Oct 2023 19:27:06 -0700 (PDT)
Received: from ?IPV6:2406:5900:1038:1000:2d8b:b9ba:4d03:6e07? ([2406:5900:1038:1000:2d8b:b9ba:4d03:6e07]) by smtp.gmail.com with ESMTPSA id s132-20020a63778a000000b005897bfc2ed3sm556315pgc.93.2023.10.17.19.27.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 17 Oct 2023 19:27:05 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------fCYLtfD8S9GTEO5if64T30lq"
Message-ID: <d643fa26-bb48-4bc4-823b-01a9c923ee30@gmail.com>
Date: Wed, 18 Oct 2023 11:27:02 +0900
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: da, en-US
To: Q Misell <q@as207960.net>
Cc: acme@ietf.org
References: <CAMEWqGvnrgp=f4eO1nQ9hzzCnY2z-pxE8fyQvHnzTDYCx-jq6A@mail.gmail.com> <ZSWikYeVECjUrLM0@localhost> <CAMEWqGuJMA99nF8QCC+mJS3N1hSu3Gakvh+=bgo5H-VDgK8Z9g@mail.gmail.com> <CAMEWqGvN1n91eNZzZNfPQ89-Xoj-d9f_rPy0t_byneeDhxNStg@mail.gmail.com> <CAMEWqGt-+xxw3amX17Q247L0HiirAz5aDy7YWPFfSDGp5iMH+g@mail.gmail.com> <f96a266c-a55e-434b-8652-7f9854f643bc@gmail.com> <CAMEWqGs4zmxp66MMW_+z1j1ts9fvS8Gia=zKor7HxVQnUKvbkw@mail.gmail.com> <A5C851EB-90CC-4C7D-97C9-2C287BA8446D@gmail.com> <CAMEWqGu2vO7-5fY749hiCoE0hnHeHh_KiA2oqSgtSrAwNJB4UQ@mail.gmail.com>
From: Seo Suchan <tjtncks@gmail.com>
Autocrypt: addr=tjtncks@gmail.com; keydata= xsDNBGN7GSUBDACv4kxByGqR6X+g16a+ZGb/I4ahDx2I8ZSDLro/bdnzeF4sxc50TeQAwk7F gFx9UYj0x5FXZTTkkhk1VysfS/ZRtr9LDJ8ZGrDX/kcyNRYdXbPYwnMd7A6eAS2NEcMpgh1z JEo8WA+rVgSoc7nNdHR8WpCgtuBZs3j08+3LzfSbuCFXNxf/mMU6+1fqBBqkUGb8z1b6Jcmi 9D3PLiVIOnyj5HcNEKKz18gKWr5HrM9MUpRHciTP0Z5/wR/KlEYbb7lI7lSiEM3F5wsPnfDV F52GX1x6d/j8swWech/N6h42mm2MNdU5K17Ob0j+u4X0ZVQjBSNpSYLkgOhIwZ1x2UaMrUbC ouPrCEVOD7bWCyBFYpsiiJ0B/Nauu2G8sJDLpyeH9QA431+XQ5wj2TwTreqC/KpMWc+ikTyt YKmGoLzY93rakDsPw7fXm3Cve2mZ0qBj2XRTClsM/6x0p3ghj4wynA+UJ2N4vJ0V4qILEyAF A+3XGEpN0BtNCWiqO8PwtMMAEQEAAc0eU2VvIFN1Y2hhbiA8dGp0bmNrc0BnbWFpbC5jb20+ wsEHBBMBCAAxFiEExSjWMeUiRmfe1PiS7Lo6Jc7pimkFAmN7GSUCGwMECwkIBwUVCAkKCwUW AgMBAAAKCRDsujolzumKae2rC/9UPZIY36sVDh/fuNs6z7Y4SF8nvfNIkkAdeD891sju2rUd kri3OFUlMGJDLfGjth+ZZPb94CndO+vFql94VyEIiI8q6OGwlNM7L3cntV8vSCo9i8OVsNvM S8PjDlqRqcq/tm0kX9q4ELxQtsBqSgTREVHNb8PTMHn7mPlZIuFkx6H4zGtyQxMmz5TH4rH/ jrW6vtJn+yFwnt8rux0hpOU7UNyA0BmGiJOD44oHgb/knrexJ+KQY4mVf/Bgzuarfqnp3JSB R6HxMk3px+gH/oz35vVTJNqKJN2Lt4Vo/ku1YzyLAjE+wPp+8zJjTEAZyBhxTp9kVci41blw J+PR6GY/JjlVw0mC8Ab8G3uLj5NvOTnP2rbFHmO9ecWNEP/7xN8rQy0s7r8ojJrarj+tZwpk 2AP5QLwLHNKwHwsqPk6+96/c6ANYdflQl8uOvLPAXEayBmbEYo/KownLgp3B41iaIqYCRpVv Fxux/zSK32QCbnTsfHOu/NlRpq4VfXll6SnOwM0EY3sZJgEMAOOp2sC96VCGwDluPA1MTtWS ptbvr2s4MBBCfYIDQAqpW9Zhuaj+tH2Z8OYlgf6U5WouhlaxDrKIrVNn1uFjZFmoC89NmlnQ hEDxzXa8sRzudrxsPrZTagDIOKm/DQW6OUZi9TuduoQ+xHZMpc4H56bueWOzitzNPqogf0D0 z3qu1UUqR1+w+dnoSlV5y75cW6eX9bZeXR9Zqimv2Q/WjPAFphPMG+WD4+kpsPKodQGhArmx WDkM+tu/n/U88vrUnzjCfs+qt69a5lZSGodf/YzkGaeZpXmzX1OIBjVMEe4++6euhWSkS/c7 RZeHVUaebOj9vP713I6iHMiPOOTpvatlxK8gxIsY9gBerEymgtd9JjbWS7mLRt8Inn8A4mIK 9/30R57f33heKZ5xgqxgBdAHmtrh/13bTw0r6Sh/3izQyN+WGjiJqbpSnvuGtqaSB93gbpLK U8Px8VcaWOuY5WKkE2t/rSU5w27Kf72a79LWnSJ+l8jv1fFnhmigkqH0+QARAQABwsD2BBgB CAAgFiEExSjWMeUiRmfe1PiS7Lo6Jc7pimkFAmN7GSYCGwwACgkQ7Lo6Jc7pimkY8Av+OGVS 59yLCXxr5UK3SPZrh8KcyQQdqqpMW7UDse8Fo6shXWL9VAh26gFhfaKo6seAHCeedSDhVvop FkoxpWM+TK8dEMZBD+Xru3gEhQW7lBGn45E0AHPIe/trXDidGRXC4HDJ1Xk8aavfGSBMnc6M nmwm23VjDXppKEhjk+iEUWwiDxzeahV63KkcWIXx/j+IBnXwMi7HkXEK5dVWP9kuM5d8soIb BbEZ2fl4IJNjy+SBWK6/fR+WgxfWLth5f/mIBm1nsF7UUXDjOS5ZR918cKtoK6VZaWZu/N6C aAVD4gZtOZCParum5cMx79ggrfQxOqVCcfmxM43aroOB6bElAe34t+F/cD9bxCVspJ37RsAW dS7rT7WyCfQPlP4Szf4XAQoVdfiszKPUdTCrnvMKHqnPP0JD6SmK67e1uF4gKZKs3X5qOiF6 CQZ+JBWAq4BxoUfqpkuPsD5m82P7eWO66SzztUJp5BJ47wRBdmGyizGb9Hc9ro+61/QeLCtD Yyjs
In-Reply-To: <CAMEWqGu2vO7-5fY749hiCoE0hnHeHh_KiA2oqSgtSrAwNJB4UQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/AWX16PW3xjXNzW5tGC32FueDcBE>
Subject: Re: [Acme] Obtaining the Tor hidden service descriptor for draft-ietf-acme-onion
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Oct 2023 02:27:29 -0000
now I read it once again, I find in-band caa make less sense and just onion-csr challenge bypass CAA records: as current status CAA nor CAA-critical posted won't ensure there will be no certificate because you can bypass with in-band projection from CA without Tor client, and they won't read reason to CAA-critical on first level descripter too, and with onion private key to sign csr with nonce it's possible to just post new descripter without CAA to tor network, as its what controls everything for that onion domain. and for http/tls-acme challenges CAA-critical is redundant, as such challenges will fail autometically if they can't access introduction points because can't decrypt second level. so my suggestion would be onion-csr challenges just ignore CAA, as with that key it's trival to just change it anyway, or enforce online CAA check. 2023-10-17 오후 6:53에 Q Misell 이(가) 쓴 글: > > Well if CA is willing to run tor In house they can read caa record > tor network (CA/B br forbids using external proxy to access tor > website for verification purpose) and for onion challenge it already > have the key to sign this on demand. > Good point, I evidently had not thought through things properly. > > > And it's kinda vague when acme server are running tor client and see > caa in finalization object : it may process it or ignore it and even > reject finalization because not implementing this extension as they > think not needed > > Yeah that bit does need further clarification. My intent was a CA may > process it if they want to, but are not required to do anything with > it, giving the following outcomes: > - CA with a Tor client and no CAA in finalize: fetch CAA over Tor > - CA without a Tor client and no COO in finalize: error > - CA with a Tor client and CAA in finalize: either fetch CAA over Tor > or use provided CAA, up to CA preference, but do not error purely > because the CAA is there > - CA without a Tor client and CAA in finalize: use provided CAA > > I'll work on making that clearer in the next revision. > ------------------------------------------------------------------------ > > Any statements contained in this email are personal to the author and > are not necessarily the statements of the company unless specifically > stated. AS207960 Cyfyngedig, having a registered office at 13 > Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca > Digital, is a company registered in Wales under № 12417574 > <https://find-and-update.company-information.service.gov.uk/company/12417574>, > LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 > <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: > GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South > Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered > office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, > 46001, trading as Glauca Digital, is a company registered in Estonia > under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the > Glauca logo are registered trademarks in the UK, under № UK00003718474 > and № UK00003718468, respectively. > > > > On Tue, 17 Oct 2023 at 10:33, Seo Suchan <tjtncks@gmail.com> wrote: > > well if CA is willing to run tor In house they can read caa record > tor network (CA/B br forbids using external proxy to access tor > website for verification perpose) and for onion challenge it > already have the key to sign this on demand > and it's kinda vague when acme server are running tor client and > see caa in finalization object : it may process it or ignore it > and even reject finalization because not implementing this > extension as they think not needed > > > On 2023년 10월 17일 오후 6시 23분 21초 GMT+09:00, Q Misell > <q@as207960.net> 작성함: > > The rationale for expiry is that in the case of http-01 or > tls-alpn-01 the ACME client need not have access to the Onion > service's secret key. A long lived CAA signature could be > generated with the key, provided to the ACME client to use, > and the key could be kept away from the ACME client and only > available on the machine running the Tor proxy. > ------------------------------------------------------------------------ > > Any statements contained in this email are personal to the > author and are not necessarily the statements of the company > unless specifically stated. AS207960 Cyfyngedig, having a > registered office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, > CF23 9EU, trading as Glauca Digital, is a company registered > in Wales under № 12417574 > <https://find-and-update.company-information.service.gov.uk/company/12417574>, > LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 > <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: > GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. > South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a > registered office at Lääne-Viru maakond, Tapa vald, Porkuni > küla, Lossi tn 1, 46001, trading as Glauca Digital, is a > company registered in Estonia under № 16755226. Estonian VAT > №: EE102625532. Glauca Digital and the Glauca logo are > registered trademarks in the UK, under № UK00003718474 and № > UK00003718468, respectively. > > > > On Tue, 17 Oct 2023 at 04:15, Seo Suchan <tjtncks@gmail.com> > wrote: > > > not sure giving expiry by client side is meaningful: as we > send this at finalization step, and as something would be > very wrong if one request another certificate in 8 hours > from last certificate so whatever value client may put > there will be expired by the time we request: in effect > it'd be act more like timestamp and if it is I kinda want > it to be nonce for that certificate finalization explicitly. > > 2023-10-17 오전 3:10에 Q Misell 이(가) 쓴 글: >> Hi all, >> >> In-band CAA is now implemented on the reference CA at >> https://acmeforonions.org and in the certbot-onion >> <https://pypi.org/project/certbot-onion/> plugin. >> draft-ietf-acme-onion-01 has also been published with the >> in-band CAA spec (refined from my last email from issues >> that arose during implementation). >> >> Cheers, >> Q >> ------------------------------------------------------------------------ >> >> Any statements contained in this email are personal to >> the author and are not necessarily the statements of the >> company unless specifically stated. AS207960 Cyfyngedig, >> having a registered office at 13 Pen-y-lan Terrace, >> Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is >> a company registered in Wales under № 12417574 >> <https://find-and-update.company-information.service.gov.uk/company/12417574>, >> LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 >> <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT >> №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: >> 0861333524. South Korean VAT №: 522-80-03080. AS207960 >> Ewrop OÜ, having a registered office at Lääne-Viru >> maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, >> trading as Glauca Digital, is a company registered in >> Estonia under № 16755226. Estonian VAT №: EE102625532. >> Glauca Digital and the Glauca logo are registered >> trademarks in the UK, under № UK00003718474 and № >> UK00003718468, respectively. >> >> >> >> On Fri, 13 Oct 2023 at 17:19, Q Misell <q@as207960.net> >> wrote: >> >> I've found some time to specify in-band CAA, a quick >> first draft is in the working draft[1]. Looking >> forward to hearing people's thoughts. >> >> [1]: >> https://as207960.github.io/acme-onion/draft-ietf-acme-onion.html#name-alternative-in-band-present >> ------------------------------------------------------------------------ >> >> Any statements contained in this email are personal >> to the author and are not necessarily the statements >> of the company unless specifically stated. AS207960 >> Cyfyngedig, having a registered office at 13 >> Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading >> as Glauca Digital, is a company registered in Wales >> under № 12417574 >> <https://find-and-update.company-information.service.gov.uk/company/12417574>, >> LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 >> <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK >> VAT №: GB378323867. EU VAT №: EU372013983. Turkish >> VAT №: 0861333524. South Korean VAT №: 522-80-03080. >> AS207960 Ewrop OÜ, having a registered office at >> Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn >> 1, 46001, trading as Glauca Digital, is a company >> registered in Estonia under № 16755226. Estonian VAT >> №: EE102625532. Glauca Digital and the Glauca logo >> are registered trademarks in the UK, under № >> UK00003718474 and № UK00003718468, respectively. >> >> >> >> On Tue, 10 Oct 2023 at 21:22, Q Misell >> <q@as207960.net> wrote: >> >> Hi Silvio, >> >> Thanks for that info, that's quite helpful. >> >> I think the idea of allowing the client to just >> send the CAA lines signed by its key would work >> well, and remove most if not all of the problems >> I've been running into. >> I'll work on implementing that in my draft, and >> see how difficult it'd be to get that part only >> working in Boulder (as Let's Encrypt have already >> indicated that they won't be implementing http-01 >> and tls-alpn-01 for hidden services). >> >> Cheers, >> Q >> ------------------------------------------------------------------------ >> >> Any statements contained in this email are >> personal to the author and are not necessarily >> the statements of the company unless specifically >> stated. AS207960 Cyfyngedig, having a registered >> office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, >> CF23 9EU, trading as Glauca Digital, is a company >> registered in Wales under № 12417574 >> <https://find-and-update.company-information.service.gov.uk/company/12417574>, >> LEI 875500FXNCJPAPF3PD10. ICO register №: >> ZA782876 >> <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. >> UK VAT №: GB378323867. EU VAT №: EU372013983. >> Turkish VAT №: 0861333524. South Korean VAT №: >> 522-80-03080. AS207960 Ewrop OÜ, having a >> registered office at Lääne-Viru maakond, Tapa >> vald, Porkuni küla, Lossi tn 1, 46001, trading as >> Glauca Digital, is a company registered in >> Estonia under № 16755226. Estonian VAT №: >> EE102625532. Glauca Digital and the Glauca logo >> are registered trademarks in the UK, under № >> UK00003718474 and № UK00003718468, respectively. >> >> >> >> On Tue, 10 Oct 2023 at 20:14, rhatto >> <rhatto@torproject.org> wrote: >> >> On Thu, Sep 07, 2023 at 04:55:51PM +0100, Q >> Misell wrote: >> > I've had some discussion recently with the >> Tor project on implementation >> > hurdles for draft-ietf-acme-onion. One >> concern that has been raised by a few is >> > the need to run a Tor client to validate >> requests, even with onion-csr-01, due >> > to the inclusion of CAA in the draft. >> >> Hi Q, and thanks for bringing this up. >> >> > One solution proposed to this is that the >> ACME client MAY[1] send the hidden >> > service descriptor to CA as part of the >> finalize request. The CA also MAY >> > require this, if they do not wish to run a >> Tor client. This, to my knowledge, >> > wouldn't reduce the security of the >> validation of CAA, as the descriptor >> > document is still cryptographically >> validated in the same way using the current >> > network consensus. Additionally the >> directory authorities that serve >> > descriptors are already non-trusted actors >> in Tor. >> > >> > The CA would still need a copy of the >> network consensus document to verify >> > the descriptor submitted by the client. >> Most directory authorities however >> > are reachable over standard HTTP over TCP, >> in addition to HTTP over Tor. >> > This would allow the CA to fetch the >> current consensus without any >> > connection to Tor. The consensus fetched >> this way would still be verified >> > against the trusted directory authorities >> of Tor[2]. >> >> Specifically, the "valid-after", >> "fresh-until", and "hsdir_interval" are >> the only consensus items needed to parse, >> decrypt and validate an Onion >> Service descriptor. >> >> > What are people's thoughts on this, and >> more importantly, what problems do >> > people see with this? >> >> After a lengthy discussion with Tor >> developers, we suggest the following >> options, prioritizing the least complex: >> >> 0. ACME clients MAY send "valid-after", >> "fresh-until" and "hs_interval" >> along with the descriptor, which would >> allow the ACME Server to verify >> CAA in a stateless way, without >> bootstrapping Tor to fetch the >> descriptor and without fetching the >> network consensus. >> >> 1. Only the descriptor is sent by the ACME >> client, so the ACME server would >> need to fetch and cache the network consensus. >> >> 2. The ACME client does not send the >> descriptor, leaving to the ACME server >> the job of fetching it, as stated on >> draft-ietf-acme-onion-00. >> >> For options 0 and 1 above, there are two ways >> that a consensus (or just the >> needed items) can be fetched either by ACME >> clients or servers: >> >> a. Through the Tor network, from one of many >> directory caches. >> >> As this involves bootstrapping Tor, it >> makes more sense for ACME >> clients to do this fetching, as clients >> are probably already connected >> to Tor in order to run an Onion Service or >> to make the ACME request >> through Tor. >> >> b. Doing HTTP over TCP, or HTTP over Tor to >> the directory authorities. >> >> While this is supported nowadays, it's not >> guaranteed to work in the >> long term, since this method is deprecated >> in favor of the approach >> above, and DirAuths may even stop serving >> the consensus directly by HTTP >> at some point. >> >> This also requires checking the DirAuths' >> signatures in the consensus >> document. >> >> > Should this be incorporated into the draft? >> >> Yes, we support this idea, but also note >> that, despite parsing and >> validating an .onion descriptor being >> relatively straightforward, it >> involves more code to be maintained. >> >> We understand that signed CAA parameters >> could be accepted directly in >> an ACME API request without reducing security >> and the need to process an >> entire descriptor. >> >> -- >> Silvio Rhatto >> pronouns he/him >> _______________________________________________ >> Acme mailing list >> Acme@ietf.org >> https://www.ietf.org/mailman/listinfo/acme >> >> >> _______________________________________________ >> Acme mailing list >> Acme@ietf.org >> https://www.ietf.org/mailman/listinfo/acme > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] Obtaining the Tor hidden service descripto… Q Misell
- Re: [Acme] Obtaining the Tor hidden service descr… rhatto
- Re: [Acme] Obtaining the Tor hidden service descr… Q Misell
- Re: [Acme] Obtaining the Tor hidden service descr… Q Misell
- Re: [Acme] Obtaining the Tor hidden service descr… Q Misell
- Re: [Acme] Obtaining the Tor hidden service descr… Seo Suchan
- Re: [Acme] Obtaining the Tor hidden service descr… Q Misell
- Re: [Acme] Obtaining the Tor hidden service descr… Seo Suchan
- Re: [Acme] Obtaining the Tor hidden service descr… Q Misell
- Re: [Acme] Obtaining the Tor hidden service descr… Seo Suchan