IETF Logo Mail Archive

Re: [Acme] Add a special token parameter in ACME registration

Richard Barnes <rlb@ipv.sx> Tue, 16 August 2016 20:48 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDE9D12D0FB for <acme@ietfa.amsl.com>; Tue, 16 Aug 2016 13:48:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AwVozh8WYLJD for <acme@ietfa.amsl.com>; Tue, 16 Aug 2016 13:48:29 -0700 (PDT)
Received: from mail-ua0-x22d.google.com (mail-ua0-x22d.google.com [IPv6:2607:f8b0:400c:c08::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 415DC12D0C5 for <acme@ietf.org>; Tue, 16 Aug 2016 13:48:29 -0700 (PDT)
Received: by mail-ua0-x22d.google.com with SMTP id 74so141969356uau.0 for <acme@ietf.org>; Tue, 16 Aug 2016 13:48:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PJ0qoSP3jjQsY8CzjpNWKpp78rRtwot51ICA94k9B44=; b=tR9A/+V6an3nyWb9autLnwmElVcbgMKnAHentlRJvNpwu44vKSdnli9gWzUGB0nOFi NzClEPwvKxtb6H1KE4hCN2EB09/66QMaIJ0JuYCxT9HKJx7CIjQELTfTOiYeCZyCRtjL DPclYZbHcUJPM8j5tqj8c5FwRRmJ1kjMsf2v48IyeOKMRHvZzaVPem5cIypm4Q3py4MA 2O93z5vyy6QGoxHuTYo1k09z0Cw9oqukAq27NFq3HXTFd6B6V+IZ1VtoA3j80Wsb9Eer HadACNSJlpqJREoDoGLS1FfdH3XupMktpgxs1wShYa4KxmqOSY3hLPZRpQGvdX8olM/O 2NNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PJ0qoSP3jjQsY8CzjpNWKpp78rRtwot51ICA94k9B44=; b=gRsYz2cIN+mNaZ8BoXvkUSemSkDRWGnbEATnosQOPtyoOrv6SHgQnj+FVxEaBSNqjb pvcsc0E92wgyWi456a78yBKrVyJtug9JEhbH6qdqUoqw1EowSbamqqyMzUBbxxe9+RI2 hRpMkx2TD1BxzUo+nHo4mZFfLAs+NZtqg1Wl3N+hOuFZtJnhNgM0RvCqiHIB/HJpznRU AMjxvTeEOZzhhzmjdjYr8pBod+5HFjClJweBUftPoOxGDUwjQZlFUCU1MKewHtJi5/Az pMp8JCl2/lGuvkkv0Q2rukWR53VcHqP7OQIXeN5wBPCXeGUhNSELZcaXunzsg81j95QO i7KQ==
X-Gm-Message-State: AEkoousVGvINT4wby/YOSnE8zRPv05nDF4b8q4eMJgoadcXMjR/Scx5BrNvo0ubB4C2ffUxjvkuz8xLxErPNnA==
X-Received: by 10.31.10.67 with SMTP id 64mr17197758vkk.40.1471380508212; Tue, 16 Aug 2016 13:48:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.49.212 with HTTP; Tue, 16 Aug 2016 13:48:27 -0700 (PDT)
In-Reply-To: <c81aa0ec-4d8b-8e9f-cba3-d6205e466e53@eff.org>
References: <236F64DDDC83C742A24E89E6E215CFC7E4CFB7@mx3.startssl.com> <CAObDDPAEaiWE0Apao_sWin2njhC+CjQuw1D07upTsn4=BQQZnQ@mail.gmail.com> <d729f81d-44a7-7e64-a528-a43df5e6dd69@eff.org> <010e01d1f7d0$dcd3c7a0$967b56e0$@startssl.com> <c81aa0ec-4d8b-8e9f-cba3-d6205e466e53@eff.org>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 16 Aug 2016 16:48:27 -0400
Message-ID: <CAL02cgTedv63cgjxDf3eNWANnVSG1zDkDDzUHrv0XVHb5ooJWg@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>
Content-Type: multipart/alternative; boundary="001a11451b1c85a708053a3678e5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/AbD0uIdxmiAWd7goB0j33sdNOyE>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Add a special token parameter in ACME registration
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 20:48:32 -0000

There are two clearly separable problems here:

1. Associating an ACME account key to an account in some other system
2. Determining when to issue an EV certificate (and with what contents)

Let's address them each separately.  (Note that Andy filed
https://github.com/ietf-wg-acme/acme/issues/170 for (1))

=====

For (1), it seems sufficient (as Andy suggests) to add a token to the
registration object.  If the client has one, it can add it either in the
new-registration request or as a later update to the registration.  The
server just reflects this value in its registration object.

I think we can leave the details of what this association means pretty much
out of scope.  The only requirement that comes to my mind is that the CA
should reflect any authorization it has granted to the client in
application objects, even if it's only an OOB link to some document.

It seems worth noting that one could also address this problem in the other
direction, by letting clients set an ACME account key in the other account
system.  However, it seems better to create minimal dependencies on
upgrades to these systems.  And in any case, it would be best to have
binding in *both* directions, to avoid unknown-key-share-like risks.


=====

For (2), I can think of a few approaches:

a. Infer the certificate type from the CSR.  For example, if the Subject in
the CSR has (C, O, CN), infer that the applicant wants EV.
b. Have a field in the new-application request that the client can use to
indicate what type of certificate, e.g., {"certType": "ev"} to indicate EV.
c. Have a field in the new-application request that indicates which CA the
applicant would like to issue the certificate, e.g., {"ca":
"identifier-for-CA"}.

All of these are approaches have drawbacks.  Options (a) and (b) kind of
paper over the idea that you would have one ACME service fronting for
different CAs; I would prefer to be explicit about that.  (Option (a) also
seems pretty brittle, since you might not always have a 1-1 mapping between
patterns of Subject fields and certificate types.)  With Option (c),
though, you would probably also want some way for the client to discover
what CAs are available.  Option (c) also presumes that there's a 1-1
mapping between CAs and the policies they support, which seems like it
should be the case, but might not be (you could combine it with (b) to
address this).

Personally, I think my preference order would be c > b >> a.  We're likely
to need to solve the multi-CA problem at some point soon anyway, so we
might as well do it now.  Roughly, the proposal for (c) here would be as
follows:

- In "meta" part of the directory, add a "CAs" entry with an dictionary of
CAs that are accessible at this ACME server.
- For each CA, the dictionary key is a unique identifier, and the value has
some metadata, e.g.:
  - An identifier for the policy the CA implements ("dv", "ev", etc.)
  - A link to more information about the CA
- In the new-application request, allow the client to specify which CA it
would like to issue the certificate (using the unique ID from the
directory/meta)

Thoughts?

--Richard



On Tue, Aug 16, 2016 at 12:04 PM, Jacob Hoffman-Andrews <jsha@eff.org>
wrote:

> On 08/16/2016 08:14 AM, Andy Ligg wrote:
> >> One possibility would to make it the client's responsibility to request
> >> EV by including the desired O, OU, etc. fields in the Subject DN of the
> >> CSR. It would then be the server's responsibility to accept or reject
> >> the request based on whether the account has a sufficient validation
> >> level (and payment).
> >
> > A: StartCom issued the certificate not based on CSR info, we don’t care
> > about the info in the CSR, we issue the certificate based on this
> > account validated level and validated identity information. This mode
> > don’t work, CSR is not enough to identify the certificate type.
>
> Keep in mind that you're gong to have to start using *some* of the info
> from the requested CSR, because ACME uses the hostnames embedded in a
> CSR to determine which hostnames to issue for. ACME also uses the CSR to
> convey requested extensions, like Must Staple, though obviously not all
> CAs will support all extensions.
>
> Can you say more about why a CSR is not enough to identify the
> certificate type?
>
> > A: Yes, our API call is the same way as ACME registration – using client
> > certificate for authentication. In my last email, we need to add a API
> > Token in the ACME registration, then all are OK for paid CA.
> > Sure, if the paid CA is not this way but like to use ACME, then they
> > need to change the API system.
>
> Is your proposal that `POST /acme/new-reg` would contain a token
> obtained from the StartSSL website? Or that your ACME server would
> generate a token and provide it as part of the response to new-reg?
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email