Re: [Acme] Directory metadata; wildcard support; conditional authz creation

Hugo Landau <hlandau@devever.net> Sun, 31 January 2016 08:40 UTC

Return-Path: <hlandau@devever.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AF2D1A90D0 for <acme@ietfa.amsl.com>; Sun, 31 Jan 2016 00:40:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.497
X-Spam-Level:
X-Spam-Status: No, score=0.497 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_62=0.6, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Bi2T4nP-aGn for <acme@ietfa.amsl.com>; Sun, 31 Jan 2016 00:40:05 -0800 (PST)
Received: from umbriel.devever.net (umbriel.devever.net [149.202.51.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6272C1A90CE for <acme@ietf.org>; Sun, 31 Jan 2016 00:40:05 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id 77C961C60D; Sun, 31 Jan 2016 09:40:03 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= user-agent:in-reply-to:content-disposition:content-type :content-type:mime-version:references:message-id:subject:subject :from:from:date:date:received:received; s=mimas; t=1454229603; x=1472418964; bh=4t542MkNHnx8bu/BxzhE20B49eNbCkp8QC0jM9cy1dc=; b= TP2FT2BBuGfZtsdV8ioSzSVpV4Hm6MspjwL/OW5UFIFEONdRFolVQ4uRdsFjPP7s Qeb4O37gurr66f2XR1JAb7pmCF1r2D6b5MKXRdLLuUnsZUuCPODFRNTXnrXk9Qq8 FNZqxGfxDT1Io/nzIBCOqtIFuPuna3ClBBomvbvFjrJiqWpsS5GpVkBZnhdCf76D W2wXdJYVdbtaoFyoWT8SSiqK4dkUdVO5+/dA1Qm+xmkTj+RRaQ0qLiZs3Ncc32f0 ofYQNPjRdIJ5xXTtl9jF2R9alWNryPUSIAnjt+ZQDdi29c0u9Wr93pELdxhjinix zrQrtM+mhMWDcP7gBBMvXg==
Received: from umbriel.devever.net ([127.0.0.1]) by localhost (umbriel.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id 0a1pL52hReob; Sun, 31 Jan 2016 09:40:03 +0100 (CET)
Received: from andover (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with SMTP id 40BBF1C083; Sun, 31 Jan 2016 09:40:03 +0100 (CET)
Date: Sun, 31 Jan 2016 08:40:03 +0000
From: Hugo Landau <hlandau@devever.net>
To: Andrew Ayer <agwa@andrewayer.name>
Message-ID: <20160131084003.GA26421@andover>
References: <20160131033925.GA29713@andover> <20160130212624.d28caed07b79d3ccb0c24b39@andrewayer.name>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160130212624.d28caed07b79d3ccb0c24b39@andrewayer.name>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/EE-ldAa6Yt38oJT2w_2Gd2QGOUc>
Cc: acme@ietf.org
Subject: Re: [Acme] Directory metadata; wildcard support; conditional authz creation
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Jan 2016 08:40:07 -0000

On Sat, Jan 30, 2016 at 09:26:24PM -0800, Andrew Ayer wrote:
> On Sun, 31 Jan 2016 03:39:25 +0000
> Hugo Landau <hlandau@devever.net> wrote:
> 
> > A proposed scheme for wildcard support.
> > <https://github.com/ietf-wg-acme/acme/pull/74>
> 
> 1. I don't think ACME should support wildcard characters anywhere but
> the leftmost label.  RFC6125 says TLS clients SHOULD NOT match wildcards
> in other labels, and in practice neither clients nor CAs support them.
> 
> 2. The validation mechanism is insecure when a domain allows
> users to register arbitrary sub-domains and host content on them
> (e.g. github.io, Amazon S3).  For example, if I create a wildcard
> authz for *.github.io, the server will issue challenges for some
> random sub-domains (e.g. df2icxw7mg5gbbfc636ttbwsmi.github.io,
> fonm6ymv77dlpac2qfvyjns4u4.github.io).  I can go register those
> sub-domains at github.io (since the sub-domain labels have high entropy,
> they will be available with high probability), complete the challenges,
> and then be authorized for all of *.github.io.  To fix this, the server
> should also require I complete a challenge for the "underlying"
> identifier (github.io in this example).
> 
> 3. It's not specified how the server communicates to the
> client what sub-domains need to be validated.
You misunderstand, perhaps I should clarify the wording; the server
never tells. You don't get to know the random subdomains it requests.
This ensures that the wildcard exists and is under control.

Adding a requirement for base domain control would be fine but I don't
see the need.

> 
> I suggest that the HTTP, DNS, and TLS SNI challenge objects be extended
> to include a "hostname" field, which specifies the hostname under which
> the challenge must be completed. The server can then make use of the
> existing combinations mechanism to require the client complete
> challenges under several sub-domains.
> 
> Perhaps ACME shouldn't even specify how wildcard identifiers are
> validated, but leave it as a matter of CA policy.  Some CAs might be
> fine only requiring a challenge on the underlying domain (which is how
> some CAs currently validate wildcard certs), while others would require
> challenges on random sub-domains.  The policy might even be different
> depending on challenge type: the CA might accept either a single DNS
> challenge on the underlying domain, or a combination of HTTP challenges
> on the underlying domain and several random sub-domains.
This might be a good idea.

> 
> -- Andrew