Re: [Acme] Directory metadata; wildcard support; conditional authz creation
Hugo Landau <hlandau@devever.net> Sun, 31 January 2016 08:40 UTC
Return-Path: <hlandau@devever.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AF2D1A90D0 for <acme@ietfa.amsl.com>; Sun, 31 Jan 2016 00:40:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.497
X-Spam-Level:
X-Spam-Status: No, score=0.497 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_62=0.6, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Bi2T4nP-aGn for <acme@ietfa.amsl.com>; Sun, 31 Jan 2016 00:40:05 -0800 (PST)
Received: from umbriel.devever.net (umbriel.devever.net [149.202.51.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6272C1A90CE for <acme@ietf.org>; Sun, 31 Jan 2016 00:40:05 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id 77C961C60D; Sun, 31 Jan 2016 09:40:03 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= user-agent:in-reply-to:content-disposition:content-type :content-type:mime-version:references:message-id:subject:subject :from:from:date:date:received:received; s=mimas; t=1454229603; x=1472418964; bh=4t542MkNHnx8bu/BxzhE20B49eNbCkp8QC0jM9cy1dc=; b= TP2FT2BBuGfZtsdV8ioSzSVpV4Hm6MspjwL/OW5UFIFEONdRFolVQ4uRdsFjPP7s Qeb4O37gurr66f2XR1JAb7pmCF1r2D6b5MKXRdLLuUnsZUuCPODFRNTXnrXk9Qq8 FNZqxGfxDT1Io/nzIBCOqtIFuPuna3ClBBomvbvFjrJiqWpsS5GpVkBZnhdCf76D W2wXdJYVdbtaoFyoWT8SSiqK4dkUdVO5+/dA1Qm+xmkTj+RRaQ0qLiZs3Ncc32f0 ofYQNPjRdIJ5xXTtl9jF2R9alWNryPUSIAnjt+ZQDdi29c0u9Wr93pELdxhjinix zrQrtM+mhMWDcP7gBBMvXg==
Received: from umbriel.devever.net ([127.0.0.1]) by localhost (umbriel.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id 0a1pL52hReob; Sun, 31 Jan 2016 09:40:03 +0100 (CET)
Received: from andover (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with SMTP id 40BBF1C083; Sun, 31 Jan 2016 09:40:03 +0100 (CET)
Date: Sun, 31 Jan 2016 08:40:03 +0000
From: Hugo Landau <hlandau@devever.net>
To: Andrew Ayer <agwa@andrewayer.name>
Message-ID: <20160131084003.GA26421@andover>
References: <20160131033925.GA29713@andover> <20160130212624.d28caed07b79d3ccb0c24b39@andrewayer.name>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20160130212624.d28caed07b79d3ccb0c24b39@andrewayer.name>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/EE-ldAa6Yt38oJT2w_2Gd2QGOUc>
Cc: acme@ietf.org
Subject: Re: [Acme] Directory metadata; wildcard support; conditional authz creation
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Jan 2016 08:40:07 -0000
On Sat, Jan 30, 2016 at 09:26:24PM -0800, Andrew Ayer wrote: > On Sun, 31 Jan 2016 03:39:25 +0000 > Hugo Landau <hlandau@devever.net> wrote: > > > A proposed scheme for wildcard support. > > <https://github.com/ietf-wg-acme/acme/pull/74> > > 1. I don't think ACME should support wildcard characters anywhere but > the leftmost label. RFC6125 says TLS clients SHOULD NOT match wildcards > in other labels, and in practice neither clients nor CAs support them. > > 2. The validation mechanism is insecure when a domain allows > users to register arbitrary sub-domains and host content on them > (e.g. github.io, Amazon S3). For example, if I create a wildcard > authz for *.github.io, the server will issue challenges for some > random sub-domains (e.g. df2icxw7mg5gbbfc636ttbwsmi.github.io, > fonm6ymv77dlpac2qfvyjns4u4.github.io). I can go register those > sub-domains at github.io (since the sub-domain labels have high entropy, > they will be available with high probability), complete the challenges, > and then be authorized for all of *.github.io. To fix this, the server > should also require I complete a challenge for the "underlying" > identifier (github.io in this example). > > 3. It's not specified how the server communicates to the > client what sub-domains need to be validated. You misunderstand, perhaps I should clarify the wording; the server never tells. You don't get to know the random subdomains it requests. This ensures that the wildcard exists and is under control. Adding a requirement for base domain control would be fine but I don't see the need. > > I suggest that the HTTP, DNS, and TLS SNI challenge objects be extended > to include a "hostname" field, which specifies the hostname under which > the challenge must be completed. The server can then make use of the > existing combinations mechanism to require the client complete > challenges under several sub-domains. > > Perhaps ACME shouldn't even specify how wildcard identifiers are > validated, but leave it as a matter of CA policy. Some CAs might be > fine only requiring a challenge on the underlying domain (which is how > some CAs currently validate wildcard certs), while others would require > challenges on random sub-domains. The policy might even be different > depending on challenge type: the CA might accept either a single DNS > challenge on the underlying domain, or a combination of HTTP challenges > on the underlying domain and several random sub-domains. This might be a good idea. > > -- Andrew
- [Acme] Directory metadata; wildcard support; cond… Hugo Landau
- Re: [Acme] Directory metadata; wildcard support; … Andrew Ayer
- Re: [Acme] Directory metadata; wildcard support; … Hugo Landau
- Re: [Acme] Directory metadata; wildcard support; … Andrew Ayer
- Re: [Acme] Directory metadata; wildcard support; … Richard Körber
- Re: [Acme] Directory metadata; wildcard support; … Hugo Landau