IETF Logo Mail Archive

Re: [Acme] Fixing the TLS-SNI challenge type

"Matthew D. Hardeman" <mhardeman@ipifony.com> Fri, 12 January 2018 03:46 UTC

Return-Path: <mhardeman@ipifony.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30FDF127735 for <acme@ietfa.amsl.com>; Thu, 11 Jan 2018 19:46:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0VgTnIZiTJ6m for <acme@ietfa.amsl.com>; Thu, 11 Jan 2018 19:46:30 -0800 (PST)
Received: from mail.ipifony.com (mail.ipifony.com [199.71.210.39]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89EE51201F2 for <acme@ietf.org>; Thu, 11 Jan 2018 19:46:30 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.ipifony.com (Postfix) with ESMTP id 04933B40961 for <acme@ietf.org>; Thu, 11 Jan 2018 21:46:30 -0600 (CST)
X-Virus-Scanned: amavisd-new at ipifony.com
Received: from mail.ipifony.com ([127.0.0.1]) by localhost (mail.ipifony.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gmq0VdqA91rf for <acme@ietf.org>; Thu, 11 Jan 2018 21:46:29 -0600 (CST)
Received: from [10.47.52.51] (68-117-162-146.dhcp.unas.al.charter.com [68.117.162.146]) by mail.ipifony.com (Postfix) with ESMTPSA id 0BF64B40951 for <acme@ietf.org>; Thu, 11 Jan 2018 21:46:29 -0600 (CST)
From: "Matthew D. Hardeman" <mhardeman@ipifony.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Message-Id: <F3477AAE-9C23-4FBE-B88D-E3ABC3CFB60D@ipifony.com>
Date: Thu, 11 Jan 2018 21:46:28 -0600
To: acme@ietf.org
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/AloPAr672NIeaL1mVA7JYgluR2g>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2018 03:47:38 -0000

Hi, guys,

I’m entirely new to this list and not sure whether or not I’m welcome, but I have some comments on the ALPN idea.

In order to actually be an improvement in security, the ALPN needs to be more than a mere marker of support.

Consider:  The new mechanism is implemented and Let’s Encrypt deploys.

Customer’s of not-secure-shared-webhost-A complain that they can’t get validations via this easy mechanism.  (The complaint would actually likely originate internally by their own development staff.)

Rather than do the work to ALSO fix the insecure aspects of the infrastructure, they’ll hastily patch in the “acme" name.

To add security, perhaps the SNI that is sent should be the actual domain label that is being validated, along with the “acme” ALPN name.  At this point, an actual ALPN extension should negotiate the authentication, with the server having the opportunity to bind the proper target name to a desired authentication and then if and only if the server has available the account key credentials of the requestor, would it be able to answer with a proper authentication.

Just adding a marker with the hammer being that just doing this without implementing the promises that are supposed to be implied on pain of violating an RFC is…  Likely to get laughed at in a derisive way by the very web hosts whose behavior now has you contemplating improvements to the protocol.

There’s no fast way out of this mess.

v2.23.0 | Report a Bug | By Email