IETF Logo Mail Archive

Re: [Acme] acme subdomains open items

Ryan Sleevi <ryan-ietf@sleevi.com> Mon, 07 December 2020 14:29 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 435573A0DCD for <acme@ietfa.amsl.com>; Mon, 7 Dec 2020 06:29:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.159
X-Spam-Level:
X-Spam-Status: No, score=-1.159 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3QLln76Fy2MQ for <acme@ietfa.amsl.com>; Mon, 7 Dec 2020 06:29:16 -0800 (PST)
Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com [209.85.215.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CED33A13A6 for <acme@ietf.org>; Mon, 7 Dec 2020 06:29:16 -0800 (PST)
Received: by mail-pg1-f178.google.com with SMTP id w16so8997649pga.9 for <acme@ietf.org>; Mon, 07 Dec 2020 06:29:16 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wDkIP7CeFZYqyarmzmSR4m6mhmSXgNjuUr6Jidu75g4=; b=fOFlo9amHWmloxcYzEc9sDUr99YlWw6RAUP8rGF5+Ym3gq5x0xX7UmJyguLN3ONL8E UFfIkssAOklbww4oyXx83PrNmgm/KdYiq7McsfnEWQF58TmkcnsIh+B9/IdO+qxKi1fK SUhB8M0qcWlD3v7pldgryIOlpZYWbN0D7t6a43f+vbD4w7lccd04lQsThjecHPYo0/gw iAdTMgX6PxZpskNKhxapyai16uyJdLqGuKMqg5Q+8txtH5b+/6/ihHP1JzjuTjI2tNCD w3qjIkXOMg34CboORqtPQCyDA7LgAkXadYLoX3UTc2nwwzSemyFIJ5PYTkKnT/DAHNax 3g6w==
X-Gm-Message-State: AOAM532mp3BEswbCINplIwtAkI8ryGz3pClvDIXOhyVHTHnc+xX8vT+6 EhTxeq4haOeXqJ0X/+Y8GKgM2yTqdr8=
X-Google-Smtp-Source: ABdhPJzGQGWtSzfF6k/+gnLmfwq4vAZr4nSQF2DodgD9RSoWsAPvgN4M6Zue4wMpUOhBSQyff9w1Fw==
X-Received: by 2002:a63:171b:: with SMTP id x27mr18917066pgl.70.1607351355628; Mon, 07 Dec 2020 06:29:15 -0800 (PST)
Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com. [209.85.216.49]) by smtp.gmail.com with ESMTPSA id x6sm12642623pfq.57.2020.12.07.06.29.15 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 07 Dec 2020 06:29:15 -0800 (PST)
Received: by mail-pj1-f49.google.com with SMTP id b5so3663635pjl.0 for <acme@ietf.org>; Mon, 07 Dec 2020 06:29:15 -0800 (PST)
X-Received: by 2002:a17:90b:1b52:: with SMTP id nv18mr16682234pjb.172.1607351354980; Mon, 07 Dec 2020 06:29:14 -0800 (PST)
MIME-Version: 1.0
References: <CY4PR11MB168504F6D4CF495E8AE8F729DBF10@CY4PR11MB1685.namprd11.prod.outlook.com> <CA7603D9-DFDA-4FA6-A76C-D4E0E638A956@felipegasper.com> <CY4PR11MB16851AD65ACF736CE6FD55A8DBF10@CY4PR11MB1685.namprd11.prod.outlook.com> <CAErg=HEON6756+_3Lfbe=r=3rxV9gAundvG5mBEEOzsKqL8x3w@mail.gmail.com> <CY4PR11MB168593FCC8F11DF836FD12EADBCE0@CY4PR11MB1685.namprd11.prod.outlook.com> <CAErg=HHxbhbZQAdf2SRjFVUezmkGcg+OdeZL_ey0AwubxkSVSA@mail.gmail.com> <16962.1607347826@localhost>
In-Reply-To: <16962.1607347826@localhost>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Mon, 07 Dec 2020 09:29:03 -0500
X-Gmail-Original-Message-ID: <CAErg=HGM5bmm=oJ1ya8gC3EiW8KQJTq2N3fxisDsgSPYKd=DbQ@mail.gmail.com>
Message-ID: <CAErg=HGM5bmm=oJ1ya8gC3EiW8KQJTq2N3fxisDsgSPYKd=DbQ@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Felipe Gasper <felipe@felipegasper.com>, "Owen Friel (ofriel)" <ofriel@cisco.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008b01c805b5e0a600"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/AceYzpStZN1MLHzKz_I1-IpwrKs>
Subject: Re: [Acme] acme subdomains open items
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2020 14:29:18 -0000

On Mon, Dec 7, 2020 at 8:30 AM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Ryan, I'm not really following this conversation.
> Probably my mental model of dns-01 challenges is lacking.
> The word "window" does not appear in RFC8555 or acme-subdomains, so that's
> your word, I think.
>
> Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
>     > Further, if we assume that say there are ten domain labels, but the
> server
>     > is only willing to maintain state for five (as a window), then it’s
> not
>     > clear how the client can request the server sends the first five
> rather
>     > than the last five. Having the client advertise its capabilities
> let’s the
>     > client choose the window, and if the server rejects all of them, the
> client
>     > at least can try again with a different window (e.g. the last five
>     > labels).
>
> I don't really understand this at all.
> I think that we are discussing so.me.comp.lex.example.
>
> The client has control over lex.example, but and can prove it with dns-01
> TXT
> record placed at _acme-challenge.lex.example.  Why does it matter whether
> it
> is so.me.comp.lex.example or ve.ry.so.me.comp.lex.example.
> or an.other.comp.lex.example??


The mistake you’ve made here is assuming the client has control over
lex.example, and thus all subdomains. The point of all of this is that is
an unrealistic assumption: the client may only have control over the DNS
zone at so.me.comp.lex.example or they might have control at the
me.comp.lex.example, but no control at comp.lex.example.

The existing approach with ACME assumes and expects that validation will be
done at the FQDN (this is an oversimplification, but the nuance here isn’t
as important). The point is that if the server decides to challenge
lex.example or comp.lex.example, it will fail for this client, so that’s
why we need some form of either/or or both/and of multiple challenges and a
client indicated set of capabilities.

The window is simply which labels you select: the example you chose has
five labels, so whether we select the “first” two domains (“so” and “me”
working from most to least specific) or the “middle” two (“comp” and “lex”)
matters. Similarly, it’s valid to issue a challenge for “example” in all of
its glory: this comes up with ICANN Spec-9/Spec-13 gTLDs, and so it’s
useful to allow the client to say “no, really, validate the *entire*
namespace”. So even if the server challenged “lex.example” that could be
the wrong level.

One thing that just occured to me is whether or not there is any value in
> the
> dns-01 challenge remaining in the DNS after the authorization.
> What I'm thinking is that the CA could offload some of it's state for the
> client to store for it.


I don’t think it’s reasonable at all to make changes like that. It would
either limit issuance of multiple independent certificates within a time
period (collision on _acme-validation) or would encourage the use of random
values in the labels.


>
>     > That’s why my slight preference was to have the client advertise.
>     > Processing after validation seemed preferable to processing prior to
>     > validation, and it also seemed useful to let the client advertise
>     > capabilities directly to let the server reduce any stored state.
>
>     > However, I
>     > can equally imagine an asinine implementation of client-advertise
> that
>     > requests a cert for “www.example.com” but let’s the client set the
> ADN as “
>     > example.net” and, post-validation of example.net, fails to check
> that “
>     > example.net” matches “example.com”. Or does something equally silly
> like
>     > allowing “prefix.example” to authorize
> “not-actually-a-prefix.example”.
>
> I can't see how any of these things are anything other than serious bugs.


I didn’t say they weren’t. But just like C is a fundamentally insecure
language that no one ethically responsible or security conscious should
choose as a first choice for new code, the ergonomics of the decisions here
are worth pointing out. There are Top 10 CAs that are misissuing
certificates because they found it “confusing” to locate requirements [1]
or manually implement the CAA lookup algorithm by hand for every request
[2]. My intent in pointing these out is to acknowledge that we have to
contemplate the worst possible implementations, and view the risks through
that lens, when thinking about risks or tradeoff. We simply can’t assume a
competent implementation, unfortunately.

[1]
https://bugzilla.mozilla.org/show_bug.cgi?id=1662807
[2]
https://bugzilla.mozilla.org/show_bug.cgi?id=1651026#c12

>

v2.23.0 | Report a Bug | By Email