Re: [Acme] Add a special token parameter in ACME registration
Richard Barnes <rlb@ipv.sx> Tue, 16 August 2016 20:48 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDE9D12D0FB for <acme@ietfa.amsl.com>; Tue, 16 Aug 2016 13:48:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AwVozh8WYLJD for <acme@ietfa.amsl.com>; Tue, 16 Aug 2016 13:48:29 -0700 (PDT)
Received: from mail-ua0-x22d.google.com (mail-ua0-x22d.google.com [IPv6:2607:f8b0:400c:c08::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 415DC12D0C5 for <acme@ietf.org>; Tue, 16 Aug 2016 13:48:29 -0700 (PDT)
Received: by mail-ua0-x22d.google.com with SMTP id 74so141969356uau.0 for <acme@ietf.org>; Tue, 16 Aug 2016 13:48:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PJ0qoSP3jjQsY8CzjpNWKpp78rRtwot51ICA94k9B44=; b=tR9A/+V6an3nyWb9autLnwmElVcbgMKnAHentlRJvNpwu44vKSdnli9gWzUGB0nOFi NzClEPwvKxtb6H1KE4hCN2EB09/66QMaIJ0JuYCxT9HKJx7CIjQELTfTOiYeCZyCRtjL DPclYZbHcUJPM8j5tqj8c5FwRRmJ1kjMsf2v48IyeOKMRHvZzaVPem5cIypm4Q3py4MA 2O93z5vyy6QGoxHuTYo1k09z0Cw9oqukAq27NFq3HXTFd6B6V+IZ1VtoA3j80Wsb9Eer HadACNSJlpqJREoDoGLS1FfdH3XupMktpgxs1wShYa4KxmqOSY3hLPZRpQGvdX8olM/O 2NNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PJ0qoSP3jjQsY8CzjpNWKpp78rRtwot51ICA94k9B44=; b=gRsYz2cIN+mNaZ8BoXvkUSemSkDRWGnbEATnosQOPtyoOrv6SHgQnj+FVxEaBSNqjb pvcsc0E92wgyWi456a78yBKrVyJtug9JEhbH6qdqUoqw1EowSbamqqyMzUBbxxe9+RI2 hRpMkx2TD1BxzUo+nHo4mZFfLAs+NZtqg1Wl3N+hOuFZtJnhNgM0RvCqiHIB/HJpznRU AMjxvTeEOZzhhzmjdjYr8pBod+5HFjClJweBUftPoOxGDUwjQZlFUCU1MKewHtJi5/Az pMp8JCl2/lGuvkkv0Q2rukWR53VcHqP7OQIXeN5wBPCXeGUhNSELZcaXunzsg81j95QO i7KQ==
X-Gm-Message-State: AEkoousVGvINT4wby/YOSnE8zRPv05nDF4b8q4eMJgoadcXMjR/Scx5BrNvo0ubB4C2ffUxjvkuz8xLxErPNnA==
X-Received: by 10.31.10.67 with SMTP id 64mr17197758vkk.40.1471380508212; Tue, 16 Aug 2016 13:48:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.49.212 with HTTP; Tue, 16 Aug 2016 13:48:27 -0700 (PDT)
In-Reply-To: <c81aa0ec-4d8b-8e9f-cba3-d6205e466e53@eff.org>
References: <236F64DDDC83C742A24E89E6E215CFC7E4CFB7@mx3.startssl.com> <CAObDDPAEaiWE0Apao_sWin2njhC+CjQuw1D07upTsn4=BQQZnQ@mail.gmail.com> <d729f81d-44a7-7e64-a528-a43df5e6dd69@eff.org> <010e01d1f7d0$dcd3c7a0$967b56e0$@startssl.com> <c81aa0ec-4d8b-8e9f-cba3-d6205e466e53@eff.org>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 16 Aug 2016 16:48:27 -0400
Message-ID: <CAL02cgTedv63cgjxDf3eNWANnVSG1zDkDDzUHrv0XVHb5ooJWg@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>
Content-Type: multipart/alternative; boundary="001a11451b1c85a708053a3678e5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/AbD0uIdxmiAWd7goB0j33sdNOyE>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Add a special token parameter in ACME registration
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 20:48:32 -0000
There are two clearly separable problems here: 1. Associating an ACME account key to an account in some other system 2. Determining when to issue an EV certificate (and with what contents) Let's address them each separately. (Note that Andy filed https://github.com/ietf-wg-acme/acme/issues/170 for (1)) ===== For (1), it seems sufficient (as Andy suggests) to add a token to the registration object. If the client has one, it can add it either in the new-registration request or as a later update to the registration. The server just reflects this value in its registration object. I think we can leave the details of what this association means pretty much out of scope. The only requirement that comes to my mind is that the CA should reflect any authorization it has granted to the client in application objects, even if it's only an OOB link to some document. It seems worth noting that one could also address this problem in the other direction, by letting clients set an ACME account key in the other account system. However, it seems better to create minimal dependencies on upgrades to these systems. And in any case, it would be best to have binding in *both* directions, to avoid unknown-key-share-like risks. ===== For (2), I can think of a few approaches: a. Infer the certificate type from the CSR. For example, if the Subject in the CSR has (C, O, CN), infer that the applicant wants EV. b. Have a field in the new-application request that the client can use to indicate what type of certificate, e.g., {"certType": "ev"} to indicate EV. c. Have a field in the new-application request that indicates which CA the applicant would like to issue the certificate, e.g., {"ca": "identifier-for-CA"}. All of these are approaches have drawbacks. Options (a) and (b) kind of paper over the idea that you would have one ACME service fronting for different CAs; I would prefer to be explicit about that. (Option (a) also seems pretty brittle, since you might not always have a 1-1 mapping between patterns of Subject fields and certificate types.) With Option (c), though, you would probably also want some way for the client to discover what CAs are available. Option (c) also presumes that there's a 1-1 mapping between CAs and the policies they support, which seems like it should be the case, but might not be (you could combine it with (b) to address this). Personally, I think my preference order would be c > b >> a. We're likely to need to solve the multi-CA problem at some point soon anyway, so we might as well do it now. Roughly, the proposal for (c) here would be as follows: - In "meta" part of the directory, add a "CAs" entry with an dictionary of CAs that are accessible at this ACME server. - For each CA, the dictionary key is a unique identifier, and the value has some metadata, e.g.: - An identifier for the policy the CA implements ("dv", "ev", etc.) - A link to more information about the CA - In the new-application request, allow the client to specify which CA it would like to issue the certificate (using the unique ID from the directory/meta) Thoughts? --Richard On Tue, Aug 16, 2016 at 12:04 PM, Jacob Hoffman-Andrews <jsha@eff.org> wrote: > On 08/16/2016 08:14 AM, Andy Ligg wrote: > >> One possibility would to make it the client's responsibility to request > >> EV by including the desired O, OU, etc. fields in the Subject DN of the > >> CSR. It would then be the server's responsibility to accept or reject > >> the request based on whether the account has a sufficient validation > >> level (and payment). > > > > A: StartCom issued the certificate not based on CSR info, we don’t care > > about the info in the CSR, we issue the certificate based on this > > account validated level and validated identity information. This mode > > don’t work, CSR is not enough to identify the certificate type. > > Keep in mind that you're gong to have to start using *some* of the info > from the requested CSR, because ACME uses the hostnames embedded in a > CSR to determine which hostnames to issue for. ACME also uses the CSR to > convey requested extensions, like Must Staple, though obviously not all > CAs will support all extensions. > > Can you say more about why a CSR is not enough to identify the > certificate type? > > > A: Yes, our API call is the same way as ACME registration – using client > > certificate for authentication. In my last email, we need to add a API > > Token in the ACME registration, then all are OK for paid CA. > > Sure, if the paid CA is not this way but like to use ACME, then they > > need to change the API system. > > Is your proposal that `POST /acme/new-reg` would contain a token > obtained from the StartSSL website? Or that your ACME server would > generate a token and provide it as part of the response to new-reg? > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- Re: [Acme] Add a special token parameter in ACME … Andrew Ayer
- Re: [Acme] Add a special token parameter in ACME … Andy Ligg
- Re: [Acme] Add a special token parameter in ACME … Andy Ligg
- Re: [Acme] Add a special token parameter in ACME … Richard Barnes
- Re: [Acme] Add a special token parameter in ACME … Martin Thomson
- Re: [Acme] Add a special token parameter in ACME … Richard Barnes
- Re: [Acme] Add a special token parameter in ACME … Jacob Hoffman-Andrews
- Re: [Acme] Add a special token parameter in ACME … Andy Ligg
- Re: [Acme] Add a special token parameter in ACME … Andy Ligg
- Re: [Acme] Add a special token parameter in ACME … Jacob Hoffman-Andrews
- Re: [Acme] Add a special token parameter in ACME … J.C. Jones
- [Acme] Add a special token parameter in ACME regi… Andy Ligg